Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Stop encoding presigned URLs with UrlHelper (#8818) 

When FinalDestination is given a URL it encodes it before doing anything else. however S3 presigned URLs should not be messed with in any way otherwise we can end up with 400 errors when downloading the URL e.g.

<Error><Code>InvalidToken</Code><Message>The provided token is malformed or otherwise invalid.</Message>

The signature of presigned URLs is very important and is automatically generated and should be preserved.
This commit is contained in:
Martin Brennan 2020-01-31 09:09:34 +10:00 committed by GitHub
parent a520012538
commit 8d77e99827
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/url_helper.rb
View File

@ -63,9 +63,14 @@ class UrlHelper
# Prevents double URL encode
# https://stackoverflow.com/a/37599235
def self.escape_uri(uri)
return uri if s3_presigned_url?(uri)
UrlHelper.encode_component(CGI.unescapeHTML(UrlHelper.unencode(uri)))
end
def self.s3_presigned_url?(url)
(url.downcase =~ /x-amz-algorithm|x-amz-credential/).present?
end
def self.cook_url(url, secure: false)
return url unless is_local(url)

8
spec/components/url_helper_spec.rb
View File

@ -118,6 +118,14 @@ describe UrlHelper do
url = UrlHelper.escape_uri('http://example.com/foo%20bar/foo bar/')
expect(url).to eq('http://example.com/foo%20bar/foo%20bar/')
end
it "doesn't escape S3 presigned URLs" do
# both of these were originally real presigned URLs and have had all
# sensitive information stripped
presigned_url = "https://test.com/original/3X/b/5/575bcc2886bf7a39684b57ca90be85f7d399bbc7.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AK8888999977%2F20200130%2Fus-west-1%2Fs3%2Faws4_request&X-Amz-Date=20200130T064355Z&X-Amz-Expires=15&X-Amz-SignedHeaders=host&X-Amz-Security-Token=blahblah%2Bblahblah%2Fblah%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEQAR&X-Amz-Signature=test"
encoded_presigned_url = "https://test.com/original/3X/b/5/575bcc2886bf7a39684b57ca90be85f7d399bbc7.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AK8888999977/20200130/us-west-1/s3/aws4_request&X-Amz-Date=20200130T064355Z&X-Amz-Expires=15&X-Amz-SignedHeaders=host&X-Amz-Security-Token=blahblah+blahblah/blah//////////wEQA==&X-Amz-Signature=test"
expect(UrlHelper.escape_uri(presigned_url)).not_to eq(encoded_presigned_url)
end
end
describe "#local_cdn_url" do