signature-v2: encode path and query strings when calculating signature (#3253)

cmd/signature-v2.go

@@ -191,17 +191,20 @@ func doesSignV2Match(r *http.Request) APIErrorCode {
 		return apiError
 	}
 
-	// url.RawPath will be valid if path has any encoded characters, if not it will
-	// be empty - in which case we need to consider url.Path (bug in net/http?)
+	// Encode path:
+	//   url.RawPath will be valid if path has any encoded characters, if not it will
+	//   be empty - in which case we need to consider url.Path (bug in net/http?)
 	encodedResource := r.URL.RawPath
-	encodedQuery := r.URL.RawQuery
 	if encodedResource == "" {
 		splits := strings.Split(r.URL.Path, "?")
 		if len(splits) > 0 {
-			encodedResource = splits[0]
+			encodedResource = getURLEncodedName(splits[0])
 		}
 	}
 
+	// Encode query strings
+	encodedQuery := r.URL.Query().Encode()
+
 	expectedAuth := signatureV2(r.Method, encodedResource, encodedQuery, r.Header)
 	if v2Auth != expectedAuth {
 		return ErrSignatureDoesNotMatch

cmd/test-utils_test.go

@@ -950,13 +950,13 @@ func signRequestV2(req *http.Request, accessKey, secretKey string) error {
 	// url.RawPath will be valid if path has any encoded characters, if not it will
 	// be empty - in which case we need to consider url.Path (bug in net/http?)
 	encodedResource := req.URL.RawPath
-	encodedQuery := req.URL.RawQuery
 	if encodedResource == "" {
 		splits := strings.Split(req.URL.Path, "?")
 		if len(splits) > 0 {
-			encodedResource = splits[0]
+			encodedResource = getURLEncodedName(splits[0])
 		}
 	}
+	encodedQuery := req.URL.Query().Encode()
 
 	// Calculate HMAC for secretAccessKey.
 	stringToSign := signV2STS(req.Method, encodedResource, encodedQuery, req.Header)