-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-sigv4 signature covers non-existent Expect: header #11664
Comments
Try #11668 |
AWS SigV4 support is available in curl since 7.75.0 (December 2020). Add the necessary bits for Hurl to understand this option and pass it on to libcurl, both as a command line option `--aws-sigv4` and as a per-request option `aws-sigv4` in Hurlfiles. Do not emit `Authorization: Basic` when aws-sigv4 is used, as this would take priority over the `Authorization` header generated by libcurl. Instead, explicitly set `username` and `password` options. Suppress removal of the `Expect:` header when using aws-sigv4, as a workaround for curl/curl#11664. Add a corresponding integration test.
AWS SigV4 support is available in curl since 7.75.0 (December 2020). Add the necessary bits for Hurl to understand this option and pass it on to libcurl, both as a command line option `--aws-sigv4` and as a per-request option `aws-sigv4` in Hurlfiles. Do not emit `Authorization: Basic` when aws-sigv4 is used, as this would take priority over the `Authorization` header generated by libcurl. Instead, explicitly set `username` and `password` options. Suppress removal of the `Expect:` header when using aws-sigv4, as a workaround for curl/curl#11664. Add a corresponding integration test.
Just tested with 370aabb3ef0dc4fe1bcedd52ce706f4fceed3cea and it works now. Thanks for the quick response! |
With that commit if you send a no-value header to AWS like -H "foo;" (note the semi-colon which causes libcurl to translate it to 'foo:') and it sends "foo:" does AWS show you any signature error for that? |
Note that different AWS endpoints seem to use different implementations (see initial report: Testing against an Appsync GraphQL endpoint:
Testing against STS:
By the way, using |
Thanks for testing. I tried to get the behavior as close as possible to the way http.c handles these headers. We want SignedHeaders to only include what is actually being sent.
Since the no-value
Yes that is expected since any 'expect' header value other than 100-continue is undefined.
I forget whether that's a bug or intended. I'll take a look. |
AWS SigV4 support is available in curl since 7.75.0 (December 2020). Add the necessary bits for Hurl to understand this option and pass it on to libcurl, both as a command line option `--aws-sigv4` and as a per-request option `aws-sigv4` in Hurlfiles. Do not emit `Authorization: Basic` when aws-sigv4 is used, as this would take priority over the `Authorization` header generated by libcurl. Instead, explicitly set `username` and `password` options. Suppress removal of the `Expect:` header when using aws-sigv4, as a workaround for curl/curl#11664. Add a corresponding integration test.
- Handle user headers in format 'name:' and 'name;' with no value. The former is used when the user wants to remove an internal libcurl header and the latter is used when the user actually wants to send a no-value header in the format 'name:' (note the semi-colon is converted by libcurl to a colon). Prior to this change the AWS header import code did not special case either of those and the generated AWS SignedHeaders would be incorrect. Reported-by: apparentorder@users.noreply.github.com Fixes curl#11664 Closes #xxxx
- Handle user headers in format 'name:' and 'name;' with no value. The former is used when the user wants to remove an internal libcurl header and the latter is used when the user actually wants to send a no-value header in the format 'name:' (note the semi-colon is converted by libcurl to a colon). Prior to this change the AWS header import code did not special case either of those and the generated AWS SignedHeaders would be incorrect. Reported-by: apparentorder@users.noreply.github.com Ref: https://curl.se/docs/manpage.html#-H Fixes curl#11664 Closes curl#11668
I did this
I expected the following
Correct AWS SigV4, i.e.
expect
is not part of curl's generatedSignedHeaders
, as it is not part of the emitted request headers, like this:But what actually happens is this:
Per man page, using
--header 'expect:'
should remove that header. The header is indeed not present, but it seems that by forcing the removal of this non-existent header, it somehow gets added to the list of headers to be considered for aws-sigv4.Additional context:
Some AWS APIs just ignore this (e.g.
sts
), but others report failure, e.g. Appsync GraphQL with IAM Auth:This seems to happen in libcurl – I've discovered it while playing around with Hurl, which explicitly sets
Expect:
.curl/libcurl version
curl 8.0.1 (aarch64-amazon-linux-gnu) libcurl/8.0.1 OpenSSL/3.0.8 zlib/1.2.11 libidn2/2.3.2 nghttp2/1.51.0
operating system
Amazon Linux 2023
The text was updated successfully, but these errors were encountered: