Fix signature generation with rawurldecode #24
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
steven-fulll
requested review from
Lulabally,
Samffy,
claude-boutinon-fulll,
fberthereau and
obense
claude-boutinon-fulll
previously approved these changes
Jun 23, 2025
fberthereau
reviewed
Jun 23, 2025
Security/Firewall/SignedRequest.php
Outdated
| $this->method, | ||
| $this->host, | ||
| $this->pathInfo, | ||
| rawurldecode($this->content), |
There was a problem hiding this comment.
Maybe you can only add a boolean to the rawurldecode function or not and not duplicate all the code no ?
obense
approved these changes
Jun 24, 2025
claude-boutinon-fulll
approved these changes
Jun 24, 2025
Azoog
approved these changes
Jun 25, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The issue
We had a case of invalid signature created by the bundle for another PHP app using this very same bundle to verify the signature. After some digging, there is an incompatibility between signature creation and signature verification :
This means that if the body contains any character that can be changed by this function (from
%00to%FF) the signature will always be invalid. Thisrawurldecodedalready existed in the Rezzza bundle, and this seems to be a bug.Explored solutions
Remove the rawurldecoded in the listener
This seems to be the healthiest solution but this might create a signature incompatibility with how the signature is verified today, mostly for products that does not use this bundle (node, front, etc...).
Ignore it and leave the responsability to the products that creates the signature to fix it
The problem with this solution is mainly with the
Psr7RequestSignerthat requires aRequestInterfaceand attach the signature to it. To correctly use it, we have to create a Request with the rawurldecoded data, use the signer, get the signature from this request and attach it to a second request with the real data.Sign the request with rawurldecoded data
This is the chosen solution, a compromise between no BC-break and code usability.
BC-Break ?
This seems like a BC-Break solution because it changes how the signature is generated, but it simply couldn't work before.
For body without values that are between
%00and%FFthe signature will be exactly the same.For body with thoses values, the signature will be from invalid to valid for this very same bundle.