bryancall opened a new pull request, #12802: URL: https://github.com/apache/trafficserver/pull/12802
## Summary Fixed the `isUriEncoded()` and `canonicalEncode()` functions in the origin_server_auth plugin to properly handle URLs with mixed encoding (some characters encoded, some not). ## Bug Description When a URL has mixed encoding (e.g., `/app/(channel)/%5B%5Bparts%5D%5D/page.js` where parentheses are NOT encoded but brackets ARE encoded), the signature calculation was incorrect: - `isUriEncoded()` found `%5B` and returned `true`, incorrectly assuming the entire string was fully encoded - `canonicalEncode()` returned the string as-is - Signature was calculated for the partially-encoded path - S3 expected signature for the fully-encoded canonical path - Result: 403 SignatureDoesNotMatch ## Fix 1. **`isUriEncoded()`**: Now checks the ENTIRE string and returns `false` if ANY character that should be encoded is found unencoded 2. **`canonicalEncode()`**: For partially-encoded strings, decodes first then re-encodes to ensure consistent canonical output 3. Added `uriDecode()` helper function ## Testing - Added unit tests for mixed encoding scenarios - Added tests for all S3 "safe" characters that need SigV4 encoding (`!`, `*`, `'`, `(`, `)`) - Added autest for end-to-end verification - All 60 test cases pass (184 assertions) ## References - AWS SigV4 spec: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html - S3 object key naming: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
