[jira] [Assigned] (HDDS-14802) Canonical path is not properly formed in S3

Tue, 10 Mar 2026 09:45:07 -0700 


     [ 
https://issues.apache.org/jira/browse/HDDS-14802?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Abhishek Pal reassigned HDDS-14802:
-----------------------------------

    Assignee:     (was: Rakesh Radhakrishnan)

> Canonical path is not properly formed in S3
> -------------------------------------------
>
>                 Key: HDDS-14802
>                 URL: https://issues.apache.org/jira/browse/HDDS-14802
>             Project: Apache Ozone
>          Issue Type: Bug
>          Components: S3
>            Reporter: Abhishek Pal
>            Priority: Major
>
> Currently the canonical path generation is not being properly followed by 
> Ozone.
> AWS S3 specs required that 3 byte character starting with % should be encoded 
> as is.
> However we encode the % sign as well.
> Take the following example.
> If we create a file named "folder%2Ffile.txt" this gets encoded to 
> "folder%252Ffile.txt" where %25 is the encoding of "%" in the original file 
> name.
> We do not hit this bug directly as aws cli treats folder/file.txt and 
> folder%2Ffile.txt as separate entities due to the encoding of "%". However 
> the edge case can be triggered by a small script.
> {code:bash}
> EP='<enter endpoint for S3 gateway>'
> B='testbuck'
> # 1) Put only folder/file.txt
> echo 'sigv4-path-test' > /tmp/sigv4.txt
> aws s3api --endpoint-url "$EP" --no-verify-ssl \
>   put-object --bucket "$B" --key 'folder/file.txt' --body /tmp/sigv4.txt
> # 2) Generate valid presigned URL for folder/file.txt
> URL=$(aws s3 presign "s3://$B/folder/file.txt" \
>   --endpoint-url "$EP" --no-verify-ssl --expires-in 300)
> echo "GOOD URL: $URL"
> # 3) Call good URL (should be 200)
> curl -k -i "$URL" | sed -n '1,8p'
> # 4) Mutate ONLY the path: folder/file.txt -> folder%2Ffile.txt
> BAD_URL=$(printf '%s\n' "$URL" | sed 's#folder/file.txt#folder%2Ffile.txt#')
> echo "MUTATED URL: $BAD_URL"
> # 5) Call mutated URL
> curl -k -i "$BAD_URL" | sed -n '1,12p'
> {code}
> This code should actually produce a 403 SignatureError with the mutation done 
> after the pre-sign.
> However due to Ozone encoding the file differently we are able to access 
> "folder/file.txt" even when we cURL "folder%2Ffile.txt"



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to