Skip to content
This repository has been archived by the owner on May 8, 2024. It is now read-only.

URL decoding in the signature helper results in paths containing a '+' sign not being verified correctly #352

Open
shineability opened this issue Jan 25, 2024 · 0 comments
Open

URL decoding in the signature helper results in paths containing a '+' sign not being verified correctly #352

shineability opened this issue Jan 25, 2024 · 0 comments

Comments

@shineability
Copy link

Which service(blob, file, queue, table) does this issue concern?

Blob, but the issue occurs in the Common package...

Which version of the SDK was used?

  • microsoft/azure-storage-common: 1.5.2
  • microsoft/azure-storage-blob: 1.5.4

What problem was encountered?

When your blob/resource name has a + character in it , the signature verification fails.

Steps to reproduce the issue?

Generate a SAS token with any resource containing a + character.

$resourceContainingPlusCharacter = 'package-test/azure+logo-plus.jpg';

$token = BlobSharedAccessSignatureHelper::generateBlobServiceSharedAccessSignatureToken(
    Resources::RESOURCE_TYPE_BLOB, 
    $resourceContainingPlusCharacter,
    ...
);

azure-storage-php/azure-storage-common/src/Common/SharedAccessSignatureHelper.php

Line 329 in 4cd7470

return urldecode(sprintf('/%s/%s/%s', $serviceName, $accountName, $resource));

Using urldecode here decodes a + to a space, which changes the resource to package-test/azure logo-plus.jpg before generating the signature.

Have you found a mitigation/solution?

Using rawurldecode fixes the issue, but not decoding also works, not sure why the resource needs to be decoded here in the first place?
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shineability