Mercurial > libervia-backend

--- a/sat/plugins/plugin_comp_ap_gateway/http_server.py	Wed Aug 31 17:07:03 2022 +0200
+++ b/sat/plugins/plugin_comp_ap_gateway/http_server.py	Wed Aug 31 17:07:03 2022 +0200
@@ -980,7 +980,7 @@
         for to_sign in signed_headers:
             if to_sign == "(request-target)":
                 method = request.method.decode().lower()
-                uri = parse.unquote(request.uri.decode())
+                uri = request.uri.decode()
                 headers[to_sign] = f"{method} /{uri.lstrip('/')}"
             elif to_sign in ("(created)", "(expires)"):
                 if algorithm != HS2019:
@@ -1070,11 +1070,24 @@
         if created > limit_ts:
             raise exceptions.EncryptionError("Signature has expired")

-        return await self.apg.checkSignature(
-            sign_data["signature"],
-            key_id,
-            headers
-        )
+        try:
+            return await self.apg.checkSignature(
+                sign_data["signature"],
+                key_id,
+                headers
+            )
+        except exceptions.EncryptionError:
+            method, url = headers["(request-target)"].rsplit(' ', 1)
+            headers["(request-target)"] = f"{method} {parse.unquote(url)}"
+            log.debug(
+                "Using workaround for (request-target) encoding bug in signature, "
+                "see https://github.com/mastodon/mastodon/issues/18871"
+            )
+            return await self.apg.checkSignature(
+                sign_data["signature"],
+                key_id,
+                headers
+            )

     def render(self, request):
         request.setHeader("server", VERSION)