mirror of
https://github.com/discourse/discourse.git
synced 2025-01-18 18:52:45 +08:00
FIX: Stop encoding presigned URLs with UrlHelper (#8818)
When FinalDestination is given a URL it encodes it before doing anything else. however S3 presigned URLs should not be messed with in any way otherwise we can end up with 400 errors when downloading the URL e.g. <Error><Code>InvalidToken</Code><Message>The provided token is malformed or otherwise invalid.</Message> The signature of presigned URLs is very important and is automatically generated and should be preserved.
This commit is contained in:
parent
a520012538
commit
8d77e99827
|
@ -63,9 +63,14 @@ class UrlHelper
|
|||
# Prevents double URL encode
|
||||
# https://stackoverflow.com/a/37599235
|
||||
def self.escape_uri(uri)
|
||||
return uri if s3_presigned_url?(uri)
|
||||
UrlHelper.encode_component(CGI.unescapeHTML(UrlHelper.unencode(uri)))
|
||||
end
|
||||
|
||||
def self.s3_presigned_url?(url)
|
||||
(url.downcase =~ /x-amz-algorithm|x-amz-credential/).present?
|
||||
end
|
||||
|
||||
def self.cook_url(url, secure: false)
|
||||
return url unless is_local(url)
|
||||
|
||||
|
|
|
@ -118,6 +118,14 @@ describe UrlHelper do
|
|||
url = UrlHelper.escape_uri('http://example.com/foo%20bar/foo bar/')
|
||||
expect(url).to eq('http://example.com/foo%20bar/foo%20bar/')
|
||||
end
|
||||
|
||||
it "doesn't escape S3 presigned URLs" do
|
||||
# both of these were originally real presigned URLs and have had all
|
||||
# sensitive information stripped
|
||||
presigned_url = "https://test.com/original/3X/b/5/575bcc2886bf7a39684b57ca90be85f7d399bbc7.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AK8888999977%2F20200130%2Fus-west-1%2Fs3%2Faws4_request&X-Amz-Date=20200130T064355Z&X-Amz-Expires=15&X-Amz-SignedHeaders=host&X-Amz-Security-Token=blahblah%2Bblahblah%2Fblah%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQAR&X-Amz-Signature=test"
|
||||
encoded_presigned_url = "https://test.com/original/3X/b/5/575bcc2886bf7a39684b57ca90be85f7d399bbc7.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AK8888999977/20200130/us-west-1/s3/aws4_request&X-Amz-Date=20200130T064355Z&X-Amz-Expires=15&X-Amz-SignedHeaders=host&X-Amz-Security-Token=blahblah+blahblah/blah//////////wEQA==&X-Amz-Signature=test"
|
||||
expect(UrlHelper.escape_uri(presigned_url)).not_to eq(encoded_presigned_url)
|
||||
end
|
||||
end
|
||||
|
||||
describe "#local_cdn_url" do
|
||||
|
|
Loading…
Reference in New Issue
Block a user