diff --git a/botocore/crt/auth.py b/botocore/crt/auth.py index 0d1a81def4..7ac4477076 100644 --- a/botocore/crt/auth.py +++ b/botocore/crt/auth.py @@ -81,7 +81,7 @@ def add_auth(self, request): else: explicit_payload = UNSIGNED_PAYLOAD - if self._should_add_content_sha256_header(explicit_payload): + if self._should_add_content_sha256_header(existing_sha256, explicit_payload): body_header = ( awscrt.auth.AwsSignedBodyHeaderType.X_AMZ_CONTENT_SHA_256 ) @@ -169,7 +169,7 @@ def _should_sha256_sign_payload(self, request): # bit of metadata through the request context. return request.context.get('payload_signing_enabled', True) - def _should_add_content_sha256_header(self, explicit_payload): + def _should_add_content_sha256_header(self, existing_sha256, explicit_payload): # only add X-Amz-Content-SHA256 header if payload is explicitly set return explicit_payload is not None @@ -278,7 +278,7 @@ def add_auth(self, request): else: explicit_payload = UNSIGNED_PAYLOAD - if self._should_add_content_sha256_header(explicit_payload): + if self._should_add_content_sha256_header(existing_sha256, explicit_payload): body_header = ( awscrt.auth.AwsSignedBodyHeaderType.X_AMZ_CONTENT_SHA_256 ) @@ -371,7 +371,7 @@ def _should_sha256_sign_payload(self, request): # bit of metadata through the request context. return request.context.get('payload_signing_enabled', True) - def _should_add_content_sha256_header(self, explicit_payload): + def _should_add_content_sha256_header(self, existing_sha256, explicit_payload): # only add X-Amz-Content-SHA256 header if payload is explicitly set return explicit_payload is not None @@ -421,7 +421,7 @@ def _should_sha256_sign_payload(self, request): # checks. return super()._should_sha256_sign_payload(request) - def _should_add_content_sha256_header(self, explicit_payload): + def _should_add_content_sha256_header(self, existing_sha256, explicit_payload): # Always add X-Amz-Content-SHA256 header return True @@ -494,6 +494,10 @@ def _apply_signing_changes(self, aws_request, signed_crt_request): # fragment - 4 aws_request.url = urlunsplit((p[0], p[1], p[2], signed_query, p[4])) + def _should_add_content_sha256_header(self, existing_sha256, explicit_payload): + # only add X-Amz-Content-SHA256 header if header already set to UNSIGNED_PAYLOAD + return existing_sha256 == UNSIGNED_PAYLOAD + class CrtS3SigV4AsymQueryAuth(CrtSigV4AsymQueryAuth): """S3 SigV4A auth using query parameters. @@ -512,7 +516,7 @@ def _should_sha256_sign_payload(self, request): # payload. Instead, you use a constant string "UNSIGNED-PAYLOAD". return False - def _should_add_content_sha256_header(self, explicit_payload): + def _should_add_content_sha256_header(self, existing_sha256, explicit_payload): # Never add X-Amz-Content-SHA256 header return False @@ -591,6 +595,10 @@ def _apply_signing_changes(self, aws_request, signed_crt_request): # fragment - 4 aws_request.url = urlunsplit((p[0], p[1], p[2], signed_query, p[4])) + def _should_add_content_sha256_header(self, existing_sha256, explicit_payload): + # only add X-Amz-Content-SHA256 header if header already set to UNSIGNED_PAYLOAD + return existing_sha256 == UNSIGNED_PAYLOAD + class CrtS3SigV4QueryAuth(CrtSigV4QueryAuth): """S3 SigV4 auth using query parameters. @@ -611,7 +619,7 @@ def _should_sha256_sign_payload(self, request): # payload. Instead, you use a constant string "UNSIGNED-PAYLOAD". return False - def _should_add_content_sha256_header(self, explicit_payload): + def _should_add_content_sha256_header(self, existing_sha256, explicit_payload): # Never add X-Amz-Content-SHA256 header return False