Giters

okigan / awscurl

curl-like access to AWS resources with AWS Signature Version 4 request signing.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

awscurl generates an incorrect request signature when user-supplied hostname includes capital letters.

bfrobin446 opened this issue · comments

commented

The command awscurl --service sts -X POST -d 'Action=GetCallerIdentity&Version=2011-06-15' -H 'Content-Type: application/x-www-form-urlencoded' https://sts.us-east-1.amazonaws.com successfully calls the GetCallerIdentity operation and returns a response.

If I change the URL by capitalizing some of the letters in the hostname, awscurl --service sts -X POST -d 'Action=GetCallerIdentity&Version=2011-06-15' -H 'Content-Type: application/x-www-form-urlencoded' https://STS.us-east-1.amazonaws.com, I get a SignatureDoesNotMatch error.

The code apparently assumes that the header values are already in their canonical form at the point where a comment describes how to canonicalize them (

awscurl/awscurl/awscurl.py

Line 198 in b2ebe71

# and value must be trimmed and lowercase, and sorted in ASCII order.
), but a mixed-case hostname reaches this point without ever being lowercased.