Overview

File curl-aws_sigv4-the-query-canon-code-miscounted-url-encoded-input.patch of Package curl.36707

From a1532a33b3eb6276621996fb69a02c6477a4af12 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 10 Sep 2023 23:47:38 +0200
Subject: [PATCH] aws_sigv4: the query canon code miscounted URL encoded input

Added some extra ampersands to test 439 to verify "blank" query parts

Follow-up to fc76a24c53b08cdf

Closes #11829
---
 lib/http_aws_sigv4.c |    3 +++
 tests/data/test439   |    6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

--- curl-8.0.1.orig/lib/http_aws_sigv4.c
+++ curl-8.0.1/lib/http_aws_sigv4.c
@@ -446,6 +446,7 @@ static CURLcode canon_query(struct Curl_
             tmp[2] = Curl_raw_toupper(q[2]);
             result = Curl_dyn_addn(dq, tmp, 3);
             q += 2;
+            len -= 2;
           }
           else
             /* '%' without a following two-digit hex, encode it */
@@ -668,6 +669,8 @@ CURLcode Curl_output_aws_sigv4(struct Cu
   if(!canonical_request)
     goto fail;
 
+  DEBUGF(infof(data, "Canonical request: %s", canonical_request));
+
   /* provider 0 lowercase */
   Curl_strntolower(provider0, provider0, strlen(provider0));
   request_type = curl_maprintf("%s4_request", provider0);
--- curl-8.0.1.orig/tests/data/test439
+++ curl-8.0.1/tests/data/test439
@@ -38,7 +38,7 @@ debug
 aws-sigv4 with query
 </name>
 <command>
-"http://fake.fake.fake:8000/%TESTNUMBER/?name=me%&aim=b%aad&weirdo=*.//-" -u user:secret --aws-sigv4 "aws:amz:us-east-2:es" --connect-to fake.fake.fake:8000:%HOSTIP:%HTTPPORT
+"http://fake.fake.fake:8000/%TESTNUMBER/?name=me%&aim=b%aad&&&weirdo=*.//-" -u user:secret --aws-sigv4 "aws:amz:us-east-2:es" --connect-to fake.fake.fake:8000:%HOSTIP:%HTTPPORT
 </command>
 </client>
 
@@ -46,9 +46,9 @@ aws-sigv4 with query
 # Verify data after the test has been "shot"
 <verify>
 <protocol crlf="yes">
-GET /%TESTNUMBER/?name=me%&aim=b%aad&weirdo=*.//- HTTP/1.1
+GET /%TESTNUMBER/?name=me%&aim=b%aad&&&weirdo=*.//- HTTP/1.1
 Host: fake.fake.fake:8000
-Authorization: AWS4-HMAC-SHA256 Credential=user/19700101/us-east-2/es/aws4_request, SignedHeaders=host;x-amz-date, Signature=61376efa7adec25078f791a830dc3173d68e6c93799dd9a02046cf5092e2362a
+Authorization: AWS4-HMAC-SHA256 Credential=user/19700101/us-east-2/es/aws4_request, SignedHeaders=host;x-amz-date, Signature=88884e3b3142133685b2092d29d8b522b785b1a9ec9e4a90cbea83e882f8dcb6
 X-Amz-Date: 19700101T000000Z
 User-Agent: curl/%VERSION
 Accept: */*
openSUSE Build Service is sponsored by
Places