aws-sdk-js icon indicating copy to clipboard operation
aws-sdk-js copied to clipboard

Published 20 hours ago verified publisher icon aws

Fix CloudFront signer RFC5987 support

Open realies opened this issue 4 years ago • 5 comments

url.parse(someUrl, true) in combination with nulling its search property has a side-effect when re-encoding using url.format. https://github.com/aws/aws-sdk-js/blob/821e9a11f3917551e26d5cbc794bf319979ceb00/lib/cloudfront/signer.js#L183 https://github.com/aws/aws-sdk-js/blob/821e9a11f3917551e26d5cbc794bf319979ceb00/lib/cloudfront/signer.js#L188

It causes URL queries existing before the signing process to get re-encoded improperly during the url.format stage here: https://github.com/aws/aws-sdk-js/blob/821e9a11f3917551e26d5cbc794bf319979ceb00/lib/cloudfront/signer.js#L197-L198

This breaks the usage of some special characters in URL queries, even when they have been properly URL encoded. One example is setting the filename in a specific charset using the response-content-disposition query field. For example, the response-content-disposition query value (RFC5987 examples) may contain:

attachment%3Bfilename%2A%3DUTF-8%27%27abc%2520def.mp4

Although the current functionality returns a signed URL that has the query value formatted as:

attachment%3Bfilename*%3DUTF-8''abc%2520def.mp4

This invalidates the generated signature and CloudFront replies with:

<Error>
<Code>AccessDenied</Code>
<Message>Access denied</Message>
</Error>

To replicate the issue in isolation:

> var u = url.parse('https://asdf.cloudfront.net/932e9e5d-cbdf-4c73-a3dc-e07758bd3adb?response-content-disposition=attachment%3Bfilename%2A%3DUTF-8%27%27abc%2520def.mp4', true)
> url.format(u)
'https://asdf.cloudfront.net/932e9e5d-cbdf-4c73-a3dc-e07758bd3adb?response-content-disposition=attachment%3Bfilename%2A%3DUTF-8%27%27abc%2520def.mp4'
> u.search=null
> url.format(u)
"https://asdf.cloudfront.net/932e9e5d-cbdf-4c73-a3dc-e07758bd3adb?response-content-disposition=attachment%3Bfilename*%3DUTF-8''abc%2520def.mp4"

The example input URL query works fine in aws-sdk-php and boto3.

Fixes #2952.

realies avatar Jul 09 '21 20:07 realies

AWS CodeBuild CI Report

  • CodeBuild project: sdk-v2-github
  • Commit ID: c4cec7cdb41c4e73786d1cc2e69ae6e390ee23e0
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

aws-sdk-js-automation avatar Jul 09 '21 21:07 aws-sdk-js-automation

@ajredniwja @AllanZhengYP could you please review this and potentially release it?

realies avatar Feb 23 '22 09:02 realies

@ajredniwja @AllanZhengYP this is more than a year old now

realies avatar Jul 21 '22 14:07 realies

Greetings! We’re closing this issue because it has been open a long time and hasn’t been updated in a while and may not be getting the attention it deserves. We encourage you to check if this is still an issue in the latest release and if you find that this is still a problem, please feel free to comment or open a new issue.

github-actions[bot] avatar Jul 22 '23 00:07 github-actions[bot]

review it

realies avatar Jul 22 '23 02:07 realies