Skip to content

bugfix: Ensure SignatureV4 sorts query parameters by their URL-encoded names … #3201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

bugfix: Ensure SignatureV4 sorts query parameters by their URL-encoded names … #3201

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
81d00e4
Ensure SignatureV4 sorts query parameters by their URL-encoded names …
timmi129 Oct 23, 2025
3970e8a
Ensure SignatureV4 sorts query parameters by their URL-encoded names …
timmi129 Oct 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changes/nextrelease/fix-signature-ordering.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
[
{
"type": "bugfix",
"category": "Signature",
"description": "Ensure SignatureV4 sorts query parameters by their URL-encoded names before canonicalization, so array-style keys like param[10] no longer disrupt the canonical order and break signature validation."
}
]
4 changes: 3 additions & 1 deletion src/Signature/SignatureV4.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -346,7 +346,9 @@ private function getCanonicalizedQuery(array $query)
}

$qs = '';
ksort($query);
uksort($query, static function (string $a, string $b): int {
return strcmp(rawurlencode($a), rawurlencode($b));
});
foreach ($query as $k => $v) {
if (!is_array($v)) {
$qs .= rawurlencode($k) . '=' . rawurlencode($v !== null ? $v : '') . '&';
Expand Down
66 changes: 66 additions & 0 deletions tests/Signature/SignatureV4Test.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,21 @@ private function getFixtures()
return array($request, $credentials, $signature);
}

private function decodeQueryPairs(string $query): array
{
if ($query === '') {
return [];
}

$pairs = [];
foreach (explode('&', $query) as $pair) {
$parts = explode('=', $pair, 2);
$pairs[] = array_map('rawurldecode', $parts + ['', '']);
}

return $pairs;
}

public function getExpiresDateTimeInterfaceInputs()
{
return [
Expand Down Expand Up @@ -312,6 +327,57 @@ public function testPresignBlacklistedHeaders()
$this->assertStringNotContainsString('Content-Type', (string)$presigned->getUri());
}

public function testCanonicalQuerySortingOccursAfterEncoding()
{
$_SERVER['aws_time'] = '20110909T233600Z';

$signature = new SignatureV4('service', 'region');
$credentials = new Credentials(self::DEFAULT_KEY, self::DEFAULT_SECRET);
$query = 'param[0]=1111&param[1]=1111&param[10]=1111&param[2]=1111&param[3]=1111&param[4]=1111&param[5]=1111&param[6]=1111&param[7]=1111&param[8]=1111&param[9]=1111';
$request = new Request('GET', 'https://example.com/service?' . $query);

$parseRequest = new \ReflectionMethod($signature, 'parseRequest');
$parseRequest->setAccessible(true);
$parsedRequest = $parseRequest->invoke($signature, $request);

$getPayload = new \ReflectionMethod($signature, 'getPayload');
$getPayload->setAccessible(true);
$payload = $getPayload->invoke($signature, $request);

$createContext = new \ReflectionMethod($signature, 'createContext');
$createContext->setAccessible(true);
$context = $createContext->invoke($signature, $parsedRequest, $payload);

$canonicalQuery = explode("\n", $context['creq'])[2];
$expectedPairs = [
['param[0]', '1111'],
['param[1]', '1111'],
['param[10]', '1111'],
['param[2]', '1111'],
['param[3]', '1111'],
['param[4]', '1111'],
['param[5]', '1111'],
['param[6]', '1111'],
['param[7]', '1111'],
['param[8]', '1111'],
['param[9]', '1111'],
];

$this->assertSame($expectedPairs, $this->decodeQueryPairs($canonicalQuery));

$expectedCanonical = "GET\n/service\n" . $canonicalQuery . "\nhost:example.com\n\nhost\n" . $payload;
$this->assertSame($expectedCanonical, $context['creq']);

$signed = $signature->signRequest($request, $credentials);
$this->assertSame($expectedPairs, $this->decodeQueryPairs($signed->getUri()->getQuery()));

$expectedSigned = "GET /service?param%5B0%5D=1111&param%5B1%5D=1111&param%5B10%5D=1111&param%5B2%5D=1111&param%5B3%5D=1111&param%5B4%5D=1111&param%5B5%5D=1111&param%5B6%5D=1111&param%5B7%5D=1111&param%5B8%5D=1111&param%5B9%5D=1111 HTTP/1.1\r\n"
. "Host: example.com\r\n"
. "X-Amz-Date: 20110909T233600Z\r\n"
. "Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/region/service/aws4_request, SignedHeaders=host;x-amz-date, Signature=db59e82a5b69e8d4a0fb1a6ceff6a0ff7beca86ac5531b8c69fa93ea0028634b\r\n\r\n";
$this->assertSame($expectedSigned, Psr7\Message::toString($signed));
}

public function testEnsuresContentSha256CanBeCalculated()
{
$this->expectException(\Aws\Exception\CouldNotCreateChecksumException::class);
Expand Down