From 90b270d8601997f03317e8f6b3b2b81c24d3a0e4 Mon Sep 17 00:00:00 2001 From: Phillip Berndt Date: Thu, 19 Jan 2023 09:20:50 +0100 Subject: [PATCH] Compute host header correctly Signatures need to include the host header, but the requests library does not include it in prepared requests by default. Rather, it trusts that Python's HTTP client will compute and inject it when sending the request. This forces requests-aws4auth to compute how this header will look like. A slight discrepancy between the implementations is that the code in this library unconditionally skips the port, whereas the request ending up being sent will include a port if it does not match the URL scheme's default. This change adjusts the implementations to match in that regard. Fixes #34 --- requests_aws4auth/aws4auth.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/requests_aws4auth/aws4auth.py b/requests_aws4auth/aws4auth.py index e0b55ff..4bf3c94 100644 --- a/requests_aws4auth/aws4auth.py +++ b/requests_aws4auth/aws4auth.py @@ -615,7 +615,16 @@ def get_canonical_headers(cls, req, include=None): # in the signed headers, but Requests doesn't include it in a # PreparedRequest if 'host' not in headers: - headers['host'] = urlparse(str(req.url)).netloc.split(':')[0] + purl = urlparse(str(req.url)) + netloc = purl.netloc + # Python's http client only includes the port if it is non-default, + # see http.client.HTTPConnection.putrequest. The request URL, on the + # other hand, might explicitly include it. + if (purl.port is not None + and (purl.scheme == 'http' and purl.port == 80 or + purl.scheme == 'https' and purl.port == 443)): + netloc = netloc.rsplit(":", 1)[0] + headers['host'] = netloc # Aggregate for upper/lowercase header name collisions in header names, # AMZ requires values of colliding headers be concatenated into a # single header with lowercase name. Although this is not possible with