Bug #130784 for Net-Amazon-Signature-V4: Invalid signature for s3 objects with + in the name

Tue Oct 22 20:46:10 2019 alex [...] corp.zubrcom.net - Ticket created

Subject:	Invalid signature for s3 objects with + in the name
Date:	Tue, 22 Oct 2019 20:45:47 -0400
To:	bug-Net-Amazon-Signature-V4 [...] rt.cpan.org
From:	Alexander Yuriev <alex [...] corp.zubrcom.net>

Hi, The module Net::Amazon::Signature::V4, including version 0.19 does not properly handle signatures for the S3 requests where the object name contains + character. This is a brokenness of S3 where the + in the object name needs to be substituted for %2B before being fed into the string_to_sign as a canonical URI. To reproduce: create an S3 object with a + in the name. Sign with a proper key. You will get a permission denied. Rename the S3 object so it has a - instead of the +. Sign with a proper key. You will get a 200. This issue ONLY affects the S3. Thanks, Alex

Fri Feb 21 12:46:39 2020 DBOOK [...] cpan.org - Correspondence added

On Tue Oct 22 20:46:10 2019, alex@corp.zubrcom.net wrote: Show quoted text

> Hi, > > The module Net::Amazon::Signature::V4, including version 0.19 does not > properly handle signatures for the S3 requests where the object name > contains + character. > > This is a brokenness of S3 where the + in the object name needs to be > substituted for %2B before being fed into the string_to_sign as a canonical > URI. > > To reproduce: create an S3 object with a + in the name. Sign with a proper > key. You will get a permission denied. Rename the S3 object so it has a - > instead of the +. Sign with a proper key. You will get a 200. > This issue ONLY affects the S3. > > Thanks, > Alex

The signature code for S3 was adjusted in 0.20 (https://github.com/Grinnz/Net-Amazon-Signature-V4/pull/7), but I'm not sure if it applies to this issue. If not, could you provide a specific example?

Fri Feb 21 12:46:39 2020 The RT System itself - Status changed from 'new' to 'open'