CloudFrontSigner doesn't account for wildcard question marks

[WeatherGod]

trafficstars

CloudFrontSigners can be used to sign an url with '*' and '?' wildcards: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html#private-content-custom-policy-statement-cookies-values. The check in _build_url() to figure out whether it is adding a query or appending to an existing query string does not account for this and can result in incorrect results. For example, consider the url "https://example.com/example_202?.zip". Rather than being modified with a new query string "https://example.com/example_202?.zip?SomeParam=foo", it'll be incorrectly turned into "https://example.com/example_202?.zip&SomeParam=foo".

I'm not exactly sure how this should (if at all) be fixed because the wildcard is in direct contradiction with url specs. At the moment, we are working around it by detecting that a wildcard was used and swapping out the first '&' for a '?', but this only works in our case because we know there aren't any query strings to start with with our particular URLs.

[WeatherGod]

The line in question is: https://github.com/boto/botocore/blob/1a2ebd8c15ad6cfea20cb92e9848308d33d41c81/botocore/signers.py#L441

[adev-code]

Hi @WeatherGod , thanks for bringing this up. After talking with the team, team will check the code. I don't have a timeline for implementation at this time, but I'll be leaving this feature request open for tracking purposes, and will let you know if I have any updates. Thanks again.