fix: preserve standard ports in presigned URLs for signature validation

durch · durch · commit 364b8033b7ce · 2025-09-16T23:38:26.000+02:00
When custom endpoints explicitly specify standard ports (80 for HTTP, 443 for HTTPS), these ports must be preserved in presigned URLs. The URL crate's to_string() method omits standard ports by design, but this causes signature validation failures when servers expect the port in the Host header. This fix rebuilds the presigned URL string with the original host (including port) when a custom region explicitly specifies a standard port. Non-standard ports continue to work as before since they are naturally preserved by URL parsing. Added comprehensive tests to verify correct behavior for both standard and non-standard ports. Closes #419
diff --git a/s3/src/bucket.rs b/s3/src/bucket.rs
@@ -3685,6 +3685,76 @@ mod test {
         assert!(url.contains("/test/test.file?"))
     }
 
+    #[maybe_async::test(
+        feature = "sync",
+        async(all(not(feature = "sync"), feature = "with-tokio"), tokio::test),
+        async(
+            all(not(feature = "sync"), feature = "with-async-std"),
+            async_std::test
+        )
+    )]
+    async fn test_presign_url_standard_ports() {
+        // Test that presigned URLs preserve standard ports in the host header
+        // This is crucial for signature validation
+
+        // Test with HTTP standard port 80
+        let region_http_80 = Region::Custom {
+            region: "eu-central-1".to_owned(),
+            endpoint: "http://minio:80".to_owned(),
+        };
+        let credentials = Credentials::new(
+            Some("test_access_key"),
+            Some("test_secret_key"),
+            None,
+            None,
+            None,
+        ).unwrap();
+        let bucket_http_80 = Bucket::new("test-bucket", region_http_80, credentials.clone())
+            .unwrap()
+            .with_path_style();
+
+        let presigned_url_80 = bucket_http_80.presign_get("/test.file", 3600, None).await.unwrap();
+        println!("Presigned URL with port 80: {}", presigned_url_80);
+
+        // Port 80 MUST be preserved in the URL for signature validation
+        assert!(
+            presigned_url_80.starts_with("http://minio:80/"),
+            "URL must preserve port 80, got: {}",
+            presigned_url_80
+        );
+
+        // Test with HTTPS standard port 443
+        let region_https_443 = Region::Custom {
+            region: "eu-central-1".to_owned(),
+            endpoint: "https://minio:443".to_owned(),
+        };
+        let bucket_https_443 = Bucket::new("test-bucket", region_https_443, credentials.clone())
+            .unwrap()
+            .with_path_style();
+
+        let presigned_url_443 = bucket_https_443.presign_get("/test.file", 3600, None).await.unwrap();
+        println!("Presigned URL with port 443: {}", presigned_url_443);
+
+        // Port 443 MUST be preserved in the URL for signature validation
+        assert!(
+            presigned_url_443.starts_with("https://minio:443/"),
+            "URL must preserve port 443, got: {}",
+            presigned_url_443
+        );
+
+        // Test with non-standard port (should always include port)
+        let region_http_9000 = Region::Custom {
+            region: "eu-central-1".to_owned(),
+            endpoint: "http://minio:9000".to_owned(),
+        };
+        let bucket_http_9000 = Bucket::new("test-bucket", region_http_9000, credentials)
+            .unwrap()
+            .with_path_style();
+
+        let presigned_url_9000 = bucket_http_9000.presign_get("/test.file", 3600, None).await.unwrap();
+        assert!(presigned_url_9000.contains("minio:9000"), "Non-standard port should be preserved in URL");
+    }
+
     #[maybe_async::test(
         feature = "sync",
         async(all(not(feature = "sync"), feature = "with-tokio"), tokio::test),
diff --git a/s3/src/request/request_trait.rs b/s3/src/request/request_trait.rs
@@ -283,10 +283,38 @@ pub trait Request {
             _ => unreachable!(),
         };
 
+        let url = self
+            .presigned_url_no_sig(expiry, custom_headers.as_ref(), custom_queries.as_ref())
+            .await?;
+
+        // Build the URL string preserving the original host (including standard ports)
+        // The Url type drops standard ports when converting to string, but we need them
+        // for signature validation
+        let url_str = if let awsregion::Region::Custom { ref endpoint, .. } = self.bucket().region()
+        {
+            // Check if we need to preserve a standard port
+            if (endpoint.contains(":80") && url.scheme() == "http" && url.port().is_none())
+                || (endpoint.contains(":443") && url.scheme() == "https" && url.port().is_none())
+            {
+                // Rebuild the URL with the original host from the endpoint
+                let host = self.bucket().host();
+                format!(
+                    "{}://{}{}{}",
+                    url.scheme(),
+                    host,
+                    url.path(),
+                    url.query().map(|q| format!("?{}", q)).unwrap_or_default()
+                )
+            } else {
+                url.to_string()
+            }
+        } else {
+            url.to_string()
+        };
+
         Ok(format!(
             "{}&X-Amz-Signature={}",
-            self.presigned_url_no_sig(expiry, custom_headers.as_ref(), custom_queries.as_ref())
-                .await?,
+            url_str,
             self.presigned_authorization(custom_headers.as_ref())
                 .await?
         ))
@@ -308,9 +336,37 @@ pub trait Request {
             _ => unreachable!(),
         };
 
+        let url =
+            self.presigned_url_no_sig(expiry, custom_headers.as_ref(), custom_queries.as_ref())?;
+
+        // Build the URL string preserving the original host (including standard ports)
+        // The Url type drops standard ports when converting to string, but we need them
+        // for signature validation
+        let url_str = if let awsregion::Region::Custom { ref endpoint, .. } = self.bucket().region()
+        {
+            // Check if we need to preserve a standard port
+            if (endpoint.contains(":80") && url.scheme() == "http" && url.port().is_none())
+                || (endpoint.contains(":443") && url.scheme() == "https" && url.port().is_none())
+            {
+                // Rebuild the URL with the original host from the endpoint
+                let host = self.bucket().host();
+                format!(
+                    "{}://{}{}{}",
+                    url.scheme(),
+                    host,
+                    url.path(),
+                    url.query().map(|q| format!("?{}", q)).unwrap_or_default()
+                )
+            } else {
+                url.to_string()
+            }
+        } else {
+            url.to_string()
+        };
+
         Ok(format!(
             "{}&X-Amz-Signature={}",
-            self.presigned_url_no_sig(expiry, custom_headers.as_ref(), custom_queries.as_ref())?,
+            url_str,
             self.presigned_authorization(custom_headers.as_ref())?
         ))
     }
