From d08d0f338fb86f7d679a998ff4f65f4e2d0db595 Mon Sep 17 00:00:00 2001 From: Emil Lerch Date: Wed, 25 Oct 2023 00:00:11 -0700 Subject: [PATCH] Using ".?" actually causes a panic, which we do not want in this path NOTE: This only fixes the top level Authorization header. A malformed header can still cause havoc --- src/aws_signing.zig | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/aws_signing.zig b/src/aws_signing.zig index 606409c..4286bd9 100644 --- a/src/aws_signing.zig +++ b/src/aws_signing.zig @@ -302,7 +302,8 @@ pub const UnverifiedRequest = struct { pub fn verify(allocator: std.mem.Allocator, request: UnverifiedRequest, request_body_reader: anytype, credentials_fn: credentialsFn) !bool { // Authorization: AWS4-HMAC-SHA256 Credential=ACCESS/20230908/us-west-2/s3/aws4_request, SignedHeaders=accept;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class, Signature=fcc43ce73a34c9bd1ddf17e8a435f46a859812822f944f9eeb2aabcd64b03523 - const auth_header = request.headers.getFirstValue("Authorization").?; + const auth_header_or_null = request.headers.getFirstValue("Authorization"); + const auth_header = if (auth_header_or_null) |a| a else return error.AuthorizationHeaderMissing; if (!std.mem.startsWith(u8, auth_header, "AWS4-HMAC-SHA256")) return error.UnsupportedAuthorizationType; var credential: ?[]const u8 = null; var signed_headers: ?[]const u8 = null;