Exclude content-length from S3 signed headers.

The content-length header was being signed since it was the only header that didn't need to be and it seemed simpler just to sign it as well. Also, the S3 documentation encourages signing as many headers as possible to avoid tampering. However, some proxies munge this header causing authentication failure, so skip signing content-length.
2025-01-18 04:58:51 +02:00 · 2021-03-25 07:07:16 -04:00 · 2021-03-25 07:07:16 -04:00 · 7d7ac0e0eb
commit 7d7ac0e0eb
parent 5876048675
3 changed files with 21 additions and 7 deletions
--- a/doc/xml/release.xml
+++ b/doc/xml/release.xml
@ -100,6 +100,16 @@
                        <p>Include recreated system databases during selective restore.</p>
                    </release-item>

+                    <release-item>
+                        <release-item-contributor-list>
+                            <release-item-ideator id="brian.p.bockelman"/>
+                            <release-item-contributor id="david.steele"/>
+                            <release-item-reviewer id="cynthia.shang"/>
+                        </release-item-contributor-list>
+
+                        <p>Exclude <id>content-length</id> from <proper>S3</proper> signed headers.</p>
+                    </release-item>
+
                    <release-item>
                        <release-item-contributor-list>
                            <release-item-reviewer id="cynthia.shang"/>
@ -9191,6 +9201,11 @@
            <contributor-id type="github">scrummyin</contributor-id>
        </contributor>

+        <contributor id="brian.p.bockelman">
+            <contributor-name-display>Brian P Bockelman</contributor-name-display>
+            <contributor-id type="github">bbockelm</contributor-id>
+        </contributor>
+
        <contributor id="brian.peterson">
            <contributor-name-display>Brian Peterson</contributor-name-display>
            <contributor-id type="github">brimo2k</contributor-id>
--- a/src/storage/s3/storage.c
+++ b/src/storage/s3/storage.c
@ -206,8 +206,8 @@ storageS3Auth(
            const String *headerKey = strLstGet(headerList, headerIdx);
            const String *headerKeyLower = strLower(strDup(headerKey));

-            // Skip the authorization header -- if it exists this is a retry
-            if (strEq(headerKeyLower, HTTP_HEADER_AUTHORIZATION_STR))
+            // Skip the authorization (exists on retry) and content-length headers since they do not need to be signed
+            if (strEq(headerKeyLower, HTTP_HEADER_AUTHORIZATION_STR) || strEq(headerKeyLower, HTTP_HEADER_CONTENT_LENGTH_STR))
                continue;

            strCatFmt(canonicalRequest, "%s:%s\n", strZ(headerKeyLower), strZ(httpHeaderGet(httpHeader, headerKey)));
--- a/test/src/module/storage/s3Test.c
+++ b/test/src/module/storage/s3Test.c
@ -57,14 +57,13 @@ testRequest(IoWrite *write, Storage *s3, const char *verb, const char *path, Tes
    {
        strCatFmt(
            request,
-                "authorization:AWS4-HMAC-SHA256 Credential=%s/\?\?\?\?\?\?\?\?/us-east-1/s3/aws4_request,"
-                    "SignedHeaders=content-length",
-                param.accessKey == NULL ? strZ(driver->accessKey) : param.accessKey);
+            "authorization:AWS4-HMAC-SHA256 Credential=%s/\?\?\?\?\?\?\?\?/us-east-1/s3/aws4_request,SignedHeaders=",
+            param.accessKey == NULL ? strZ(driver->accessKey) : param.accessKey);

        if (param.content != NULL)
-            strCatZ(request, ";content-md5");
+            strCatZ(request, "content-md5;");

-        strCatZ(request, ";host;x-amz-content-sha256;x-amz-date");
+        strCatZ(request, "host;x-amz-content-sha256;x-amz-date");

        if (securityToken != NULL)
            strCatZ(request, ";x-amz-security-token");