diff --git a/.changelog/transfer-encoding-signing.md b/.changelog/transfer-encoding-signing.md new file mode 100644 index 0000000000000000000000000000000000000000..19975f0e4f21f0735b7407e5a8eef77de86c9783 --- /dev/null +++ b/.changelog/transfer-encoding-signing.md @@ -0,0 +1,10 @@ +--- +applies_to: ["aws-sdk-rust"] +authors: ["landonxjames"] +references: ["smithy-rs#3991"] +breaking: false +new_feature: false +bug_fix: true +--- + +Exclude `transfer-encoding` header from sigv4(a) signing since it is a hop by hop header that can be modified or removed by a proxy. diff --git a/aws/rust-runtime/Cargo.lock b/aws/rust-runtime/Cargo.lock index 47b7a8e10a176dd6c43f339249aa951b0b805be6..45f02311311be538d68c8656c2795c0d9f529585 100644 --- a/aws/rust-runtime/Cargo.lock +++ b/aws/rust-runtime/Cargo.lock @@ -228,7 +228,7 @@ version = "0.60.3" [[package]] name = "aws-sigv4" -version = "1.2.7" +version = "1.2.8" dependencies = [ "aws-credential-types", "aws-smithy-eventstream", diff --git a/aws/rust-runtime/aws-sigv4/Cargo.toml b/aws/rust-runtime/aws-sigv4/Cargo.toml index 5bda4ee0414999451dfa926988ec539e2ca1224c..cdc588bbe93619807476cad0aa83ae6170200e16 100644 --- a/aws/rust-runtime/aws-sigv4/Cargo.toml +++ b/aws/rust-runtime/aws-sigv4/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "aws-sigv4" -version = "1.2.7" +version = "1.2.8" authors = ["AWS Rust SDK Team <aws-sdk-rust@amazon.com>", "David Barsky <me@davidbarsky.com>"] description = "SigV4 signer for HTTP requests and Event Stream messages." edition = "2021" diff --git a/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs b/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs index 4622f841d985fd9db5b54528915b3fb2cf5d59a4..265025e046e35329227ad5dc50ae4897c17a3481 100644 --- a/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs +++ b/aws/rust-runtime/aws-sigv4/src/http_request/canonical_request.rs @@ -877,7 +877,7 @@ mod tests { assert_eq!(creq.values.signed_headers().as_str(), "host;x-amz-date"); } - // It should exclude authorization, user-agent, x-amzn-trace-id headers from presigning + // It should exclude authorization, user-agent, x-amzn-trace-id, and transfer-encoding headers from presigning #[test] fn non_presigning_header_exclusion() { let request = http0::Request::builder() @@ -888,6 +888,7 @@ mod tests { .header("user-agent", "test-user-agent") .header("x-amzn-trace-id", "test-trace-id") .header("x-amz-user-agent", "test-user-agent") + .header("transfer-encoding", "chunked") .body("") .unwrap() .into(); @@ -909,7 +910,7 @@ mod tests { ); } - // It should exclude authorization, user-agent, x-amz-user-agent, x-amzn-trace-id headers from presigning + // It should exclude authorization, user-agent, x-amz-user-agent, x-amzn-trace-id, and transfer-encoding headers from presigning #[test] fn presigning_header_exclusion() { let request = http0::Request::builder() @@ -920,6 +921,7 @@ mod tests { .header("user-agent", "test-user-agent") .header("x-amzn-trace-id", "test-trace-id") .header("x-amz-user-agent", "test-user-agent") + .header("transfer-encoding", "chunked") .body("") .unwrap() .into(); diff --git a/aws/rust-runtime/aws-sigv4/src/http_request/settings.rs b/aws/rust-runtime/aws-sigv4/src/http_request/settings.rs index bc8409b807d83958f008490e6f74e12de165fbad..4ca7158eee819a64624f8c5d85553c160ef57f6e 100644 --- a/aws/rust-runtime/aws-sigv4/src/http_request/settings.rs +++ b/aws/rust-runtime/aws-sigv4/src/http_request/settings.rs @@ -3,7 +3,7 @@ * SPDX-License-Identifier: Apache-2.0 */ -use http0::header::{AUTHORIZATION, USER_AGENT}; +use http0::header::{AUTHORIZATION, TRANSFER_ENCODING, USER_AGENT}; use std::borrow::Cow; use std::time::Duration; @@ -126,6 +126,8 @@ impl Default for SigningSettings { Cow::Borrowed(USER_AGENT.as_str()), // Changes based on the request from the client Cow::Borrowed(HEADER_NAME_X_RAY_TRACE_ID), + // Hop by hop header, can be erased by Cloudfront + Cow::Borrowed(TRANSFER_ENCODING.as_str()), ] .to_vec(), );