Try to fix path if signature is invalid

CHANGELOG.md

@@ -5,6 +5,9 @@
 - Add [raw](https://docs.imgproxy.net/latest/generating_the_url?id=raw) processing option.
 - (pro) Add encrypted source URL support.
 
+### Changed
+- Fix some invalid signature cases that happen because of URL normalization.
+
 ## [3.7.2] - 2022-08-22
 ### Changed
 - (docker) Faster images quantization.

fix_path.go

@@ -0,0 +1,22 @@
+package main
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+var fixPathRe = regexp.MustCompile(`/plain/(\S+)\:/([^/])`)
+
+func fixPath(path string) string {
+	for _, match := range fixPathRe.FindAllStringSubmatch(path, -1) {
+		repl := fmt.Sprintf("/plain/%s://", match[1])
+		if match[1] == "local" {
+			repl += "/"
+		}
+		repl += match[2]
+		path = strings.Replace(path, match[0], repl, 1)
+	}
+
+	return path
+}

processing_handler.go

@@ -218,7 +218,13 @@ func handleProcessing(reqID string, rw http.ResponseWriter, r *http.Request) {
 	}
 
 	if err := security.VerifySignature(signature, path); err != nil {
-		sendErrAndPanic(ctx, "security", ierrors.New(403, err.Error(), "Forbidden"))
+		// Some proxy servers may normalize URL and make signature invalid.
+		// Try to fix the path and repeat the check
+		path = fixPath(path)
+
+		if err = security.VerifySignature(signature, path); err != nil {
+			sendErrAndPanic(ctx, "security", ierrors.New(403, err.Error(), "Forbidden"))
+		}
 	}
 
 	po, imageURL, err := options.ParsePath(path, r.Header)