rgw: avoid re-encoding already encoded query strings in AWS4 auth

When computing V4 signature, we need to encode the query string. But it
could come already encoded, at least partially.

So do not encode the entities that are already encoded.

Fixes: #10333
Signed-off-by: Javier M. Mellid <jmunhoz@igalia.com>

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 2de86c54117f052fd8d05f8f99b1226e4b73b4f2..d30fd38ed5a2c30f3d29aea1203382b1aa8fba01 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -939,16 +939,23 @@ static bool char_needs_url_encoding(char c)
   return false;
 }
 
-void url_encode(const string& src, string& dst)
+void url_encode(const string& src, string& dst, bool in_query)
 {
   const char *p = src.c_str();
   for (unsigned i = 0; i < src.size(); i++, p++) {
-    if (char_needs_url_encoding(*p)) {
-      escape_char(*p, dst);
-      continue;
-    }
+    if (*p == '%' && in_query && (i + 2) < src.size()) {
+      /* keep %AB as it is */
+      dst.append(p, 3);
+      i += 2;
+      p += 2;
+    } else {
+      if (char_needs_url_encoding(*p)) {
+       escape_char(*p, dst);
+       continue;
+      }
 
-    dst.append(p, 1);
+      dst.append(p, 1);
+    }
   }
 }
 

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 948c2797af19492629447287dc83f38479b6a0b8..ed2e619a871806ffe980a7ec513a5519f0b0fd74 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1710,7 +1710,7 @@ extern bool verify_object_permission(struct req_state *s, int perm);
 /** Convert an input URL into a sane object name
  * by converting %-escaped strings into characters, etc*/
 extern bool url_decode(const string& src_str, string& dest_str, bool in_query = false);
-extern void url_encode(const string& src, string& dst);
+extern void url_encode(const string& src, string& dst, bool in_query = false);
 
 /* destination should be CEPH_CRYPTO_HMACSHA1_DIGESTSIZE bytes long */
 extern void calc_hmac_sha1(const char *key, int key_len,

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 640ecfdec761f3ab6b707c555de0e86f0cd17067..9b4c26a225e3618a939cbb347f85773d15a6282c 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2901,10 +2901,10 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
       getline(kv, key, '=');
       getline(kv, val, '=');
       if (!using_qs || key != "X-Amz-Signature") {
-       string key_enc, val_enc;
-       url_encode(key, key_enc, true);
-       url_encode(val, val_enc, true);
-       canonical_qs_map[key_enc] = val_enc;
+        string key_enc, val_enc;
+        url_encode(key, key_enc, true);
+        url_encode(val, val_enc, true);
+        canonical_qs_map[key_enc] = val_enc;
       }
     }