mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-11-27 05:50:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

http_aws_sigv4: canonicalise valueless query params

Browse Source 
Fixes #8107
Closes #12244
This commit is contained in:
Harry Mallon 2023-11-01 14:46:46 +00:00 committed by Daniel Stenberg
parent 2c8f4c87e1
commit bbba69dada
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/http_aws_sigv4.c
View File

@ -456,6 +456,7 @@ static CURLcode canon_query(struct Curl_easy *data,
for(i = 0; !result && (i < entry); i++, ap++) { for(i = 0; !result && (i < entry); i++, ap++) {
size_t len; size_t len;
const char *q = ap->p; const char *q = ap->p;
bool found_equals = false;
if(!ap->len) if(!ap->len)
continue; continue;
for(len = ap->len; len && !result; q++, len--) { for(len = ap->len; len && !result; q++, len--) {
@ -467,9 +468,13 @@ static CURLcode canon_query(struct Curl_easy *data,
case '.': case '.':
case '_': case '_':
case '~': case '~':
/* allowed as-is */
result = Curl_dyn_addn(dq, q, 1);
break;
case '=': case '=':
/* allowed as-is */ /* allowed as-is */
result = Curl_dyn_addn(dq, q, 1); result = Curl_dyn_addn(dq, q, 1);
found_equals = true;
break; break;
case '%': case '%':
/* uppercase the following if hexadecimal */ /* uppercase the following if hexadecimal */
@ -497,7 +502,11 @@ static CURLcode canon_query(struct Curl_easy *data,
} }
} }
} }
if(i < entry - 1) { if(!result && !found_equals) {
/* queries without value still need an equals */
result = Curl_dyn_addn(dq, "=", 1);
}
if(!result && i < entry - 1) {
/* insert ampersands between query pairs */ /* insert ampersands between query pairs */
result = Curl_dyn_addn(dq, "&", 1); result = Curl_dyn_addn(dq, "&", 1);
} }

6
tests/data/test439
View File

@ -38,7 +38,7 @@ debug
aws-sigv4 with query aws-sigv4 with query
</name> </name>
<command> <command>
"http://fake.fake.fake:8000/%TESTNUMBER/?name=me%&aim=b%aad&&&weirdo=*.//-" -u user:secret --aws-sigv4 "aws:amz:us-east-2:es" --connect-to fake.fake.fake:8000:%HOSTIP:%HTTPPORT "http://fake.fake.fake:8000/%TESTNUMBER/?name=me%&noval&aim=b%aad&&&weirdo=*.//-" -u user:secret --aws-sigv4 "aws:amz:us-east-2:es" --connect-to fake.fake.fake:8000:%HOSTIP:%HTTPPORT
</command> </command>
</client> </client>
@ -46,9 +46,9 @@ aws-sigv4 with query
# Verify data after the test has been "shot" # Verify data after the test has been "shot"
<verify> <verify>
<protocol crlf="yes"> <protocol crlf="yes">
GET /%TESTNUMBER/?name=me%&aim=b%aad&&&weirdo=*.//- HTTP/1.1 GET /439/?name=me%&noval&aim=b%aad&&&weirdo=*.//- HTTP/1.1
Host: fake.fake.fake:8000 Host: fake.fake.fake:8000
Authorization: AWS4-HMAC-SHA256 Credential=user/19700101/us-east-2/es/aws4_request, SignedHeaders=host;x-amz-date, Signature=88884e3b3142133685b2092d29d8b522b785b1a9ec9e4a90cbea83e882f8dcb6 Authorization: AWS4-HMAC-SHA256 Credential=user/19700101/us-east-2/es/aws4_request, SignedHeaders=host;x-amz-date, Signature=cbbf4a72764e27e396730f5e56cea046d4ce862a2d91db4856fb086b92f49270
X-Amz-Date: 19700101T000000Z X-Amz-Date: 19700101T000000Z
User-Agent: curl/%VERSION User-Agent: curl/%VERSION
Accept: */* Accept: */*