Skip to content
This repository was archived by the owner on May 8, 2024. It is now read-only.

URL decoding in the signature helper results in paths containing a '+' sign not being verified correctly #352

Open
Open
URL decoding in the signature helper results in paths containing a '+' sign not being verified correctly#352
@shineability

Description

@shineability
shineability
opened on Jan 25, 2024

Which service(blob, file, queue, table) does this issue concern?

Blob, but the issue occurs in the Common package...

Which version of the SDK was used?

  • microsoft/azure-storage-common: 1.5.2
  • microsoft/azure-storage-blob: 1.5.4

What problem was encountered?

When your blob/resource name has a + character in it , the signature verification fails.

Steps to reproduce the issue?

Generate a SAS token with any resource containing a + character.

$resourceContainingPlusCharacter = 'package-test/azure+logo-plus.jpg';

$token = BlobSharedAccessSignatureHelper::generateBlobServiceSharedAccessSignatureToken(
    Resources::RESOURCE_TYPE_BLOB, 
    $resourceContainingPlusCharacter,
    ...
);

azure-storage-php/azure-storage-common/src/Common/SharedAccessSignatureHelper.php

Line 329 in 4cd7470

return urldecode(sprintf('/%s/%s/%s', $serviceName, $accountName, $resource));

Using urldecode here decodes a + to a space, which changes the resource to package-test/azure logo-plus.jpg before generating the signature.

Have you found a mitigation/solution?

Using rawurldecode fixes the issue, but not decoding also works, not sure why the resource needs to be decoded here in the first place?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions