From df2ace16430fcce4eecb506a73723d81851d6fc5 Mon Sep 17 00:00:00 2001 From: Anthony Lukach Date: Tue, 30 Jun 2026 20:04:55 -0700 Subject: [PATCH] fix(sigv4): use encoded request path for inbound signature verification Uploads of keys containing characters the client percent-escapes (e.g. a space -> %20) failed with SignatureDoesNotMatch. SigV4's canonical URI is the percent-encoded path the client signed, but `RequestParts` decodes the path (correct for bucket/key routing) and we were passing that decoded path as the `signing_path`. The server then built its canonical request with a literal space while the client signed `%20`, so the signatures never matched. Recover the raw encoded path from the request URL via `Uri::path()` (which does not decode) and use it as the signing path. Routing keeps the decoded path; outbound signing already re-encodes via `url::Url::parse`, so it was unaffected. Co-Authored-By: Claude Opus 4.8 (1M context) --- src/lib.rs | 14 +++++++++++++- tests/routing.rs | 14 ++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/src/lib.rs b/src/lib.rs index 0ce726a..66a1341 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -278,6 +278,18 @@ async fn fetch(req: web_sys::Request, env: Env, ctx: Context) -> Result() + .map(|u| u.path().to_string()) + .unwrap_or_else(|_| rewrite.signing_path.clone()); + let request_info = RequestInfo::new( &parts.method, &rewrite.path, @@ -285,7 +297,7 @@ async fn fetch(req: web_sys::Request, env: Env, ctx: Context) -> Result