Skip to content

Commit

Permalink
SECURITY-5146: encode plus sign only when content-type set to applica…
Browse files Browse the repository at this point in the history 
…tion/x-www-form-urlencoded

Co-authored-by: David Szigecsan <[email protected]>
  • Loading branch information
@sigee
Eugeniu David and sigee committed Nov 18, 2021
1 parent 7c63574 commit c3c1dc6
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 6 deletions.
16 changes: 10 additions & 6 deletions src/Escher/RequestCanonicalizer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ public static function canonicalize($method, $requestUri, $payload, $rawHeaders,
$lines = array();
$lines[] = strtoupper($method);
$lines[] = self::normalizePath($path);
$lines[] = self::urlEncodeQueryString($query);
$lines[] = self::urlEncodeQueryString($query, $rawHeaders);

sort($headersToSign);
$lines = array_merge($lines, self::canonicalizeHeaders($rawHeaders, $headersToSign));
Expand All @@ -24,7 +24,7 @@ public static function canonicalize($method, $requestUri, $payload, $rawHeaders,
return implode("\n", $lines);
}

public static function urlEncodeQueryString($query)
public static function urlEncodeQueryString($query, $headers)
{
if (empty($query)) {
return '';
Expand All @@ -40,8 +40,8 @@ public static function urlEncodeQueryString($query)
$keyValues[0] = urldecode($keyValues[0]);
$keyValues[1] = urldecode($keyValues[1]);
$encodedParts[] = implode('=', array(
self::rawUrlEncode(str_replace('+', ' ', $keyValues[0])),
self::rawUrlEncode(str_replace('+', ' ', $keyValues[1])),
self::rawUrlEncode($keyValues[0], $headers),
self::rawUrlEncode($keyValues[1], $headers),
));
}
sort($encodedParts);
Expand Down Expand Up @@ -93,9 +93,13 @@ private static function canonicalizeHeaders($rawHeaders, array $headersToSign)
return $result;
}

private static function rawUrlEncode($urlComponent)
private static function rawUrlEncode($urlComponent, $headers)
{
$result = rawurlencode($urlComponent);
if(strpos($headers, "application/x-www-form-urlencoded")) {
$result = rawurlencode(str_replace('+', ' ', $urlComponent));
} else {
$result = rawurlencode($urlComponent);
}
if (version_compare(PHP_VERSION, '5.3.4') === -1) {
$result = str_replace('%7E', '~', $result);
}
Expand Down
28 changes: 28 additions & 0 deletions test/unit/RequestCanonicalizerTest.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
<?php

use Escher\RequestCanonicalizer;


class RequestCanonicalizerTest extends TestBase
{
/**
* @test
*/
public function urlEncodeQueryStringShouldNotReplacePlusSign()
{
$query = "email=test%2Bbayxd%40gmail.com";
$result = RequestCanonicalizer::urlEncodeQueryString($query, "application/json");
$this->assertEquals($query, $result);
}

/**
* @test
*/
public function urlEncodeQueryStringShouldReplacePlusSignWithSplace()
{
$query = "email=test%2Bbayxd%40gmail.com";
$expected = "email=test%20bayxd%40gmail.com";
$result = RequestCanonicalizer::urlEncodeQueryString($query, "application/x-www-form-urlencoded");
$this->assertEquals($expected, $result);
}
}

0 comments on commit c3c1dc6

Please sign in to comment.