From fb8d0062e829dc7e7338535d317b864f62a90966 Mon Sep 17 00:00:00 2001
From: Tibor Rac <tibor.rac@infostud.com>
Date: Wed, 6 Dec 2023 06:39:36 +0100
Subject: [PATCH 1/2] Normalize url to ensure consistent signing.

---
 src/AbstractUrlSigner.php | 6 ++++--
 src/BaseUrlSigner.php     | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/AbstractUrlSigner.php b/src/AbstractUrlSigner.php
index 9d40af8..0f009a6 100644
--- a/src/AbstractUrlSigner.php
+++ b/src/AbstractUrlSigner.php
@@ -36,9 +36,11 @@ public function sign(
 
         $expiration = $this->getExpirationTimestamp($expiration);
 
-        $signature = $this->createSignature($url, $expiration, $signatureKey);
+        $normalizedUrl = $this->getIntendedUrl($url);
 
-        return $this->signUrl($url, $expiration, $signature);
+        $signature = $this->createSignature($normalizedUrl, $expiration, $signatureKey);
+
+        return $this->signUrl($normalizedUrl, $expiration, $signature);
     }
 
     protected function signUrl(string $url, string $expiration, $signature): string
diff --git a/src/BaseUrlSigner.php b/src/BaseUrlSigner.php
index acdbf5a..0d9f3ba 100644
--- a/src/BaseUrlSigner.php
+++ b/src/BaseUrlSigner.php
@@ -37,9 +37,11 @@ public function sign(
 
         $expiration = $this->getExpirationTimestamp($expiration);
 
-        $signature = $this->createSignature($url, $expiration, $signatureKey);
+        $normalizedUrl = $this->getIntendedUrl($url);
 
-        return $this->signUrl($url, $expiration, $signature);
+        $signature = $this->createSignature($normalizedUrl, $expiration, $signatureKey);
+
+        return $this->signUrl($normalizedUrl, $expiration, $signature);
     }
 
     protected function signUrl(string $url, string $expiration, $signature): string

From 730d25486495baac86be64f6c373af0a05256a3e Mon Sep 17 00:00:00 2001
From: Tibor Rac <tibor.rac@infostud.com>
Date: Wed, 6 Dec 2023 06:39:50 +0100
Subject: [PATCH 2/2] Add signing and validation tests for special and reserved
 query parameters.

---
 tests/Md5UrlSignerTest.php    | 24 ++++++++++++++++++++++++
 tests/Sha256UrlSignerTest.php | 24 ++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/tests/Md5UrlSignerTest.php b/tests/Md5UrlSignerTest.php
index 1a2827a..5634ce3 100644
--- a/tests/Md5UrlSignerTest.php
+++ b/tests/Md5UrlSignerTest.php
@@ -83,3 +83,27 @@
     expect($this->urlSigner->validate($signedUsingCustomKey, 'custom-key'))->toBeTrue();
     expect($this->urlSigner->validate($signedUsingCustomKey, 'wrong-custom-key'))->toBeFalse();
 });
+
+it('can sign url which has special characters in the query parameters', function ($url) {
+    $expiration = 100;
+
+    $signedUrl = $this->urlSigner->sign($url, $expiration);
+
+    expect($this->urlSigner->validate($signedUrl))->toBeTrue();
+})->with([
+    ['https://myapp.com/?foo=bar baz'],
+    ['https://myapp.com/?foo=bar%20baz'],
+    ['https://myapp.com/?foo=bar@baz.com'],
+]);
+
+it('can sign url which has reserved query parameters', function ($url) {
+    $expiration = 100;
+
+    $signedUrl = $this->urlSigner->sign($url, $expiration);
+
+    expect($this->urlSigner->validate($signedUrl))->toBeTrue();
+})->with([
+    ['https://myapp.com/?foo=bar&expires=100&signature=abc123'],
+    ['https://myapp.com/?foo=bar&expires=100'],
+    ['https://myapp.com/?foo=bar&signature=abc123'],
+]);
\ No newline at end of file
diff --git a/tests/Sha256UrlSignerTest.php b/tests/Sha256UrlSignerTest.php
index 58167ab..b296613 100644
--- a/tests/Sha256UrlSignerTest.php
+++ b/tests/Sha256UrlSignerTest.php
@@ -92,3 +92,27 @@
     expect($this->urlSigner->validate($signedUsingCustomKey, 'custom-key'))->toBeTrue();
     expect($this->urlSigner->validate($signedUsingCustomKey, 'wrong-custom-key'))->toBeFalse();
 });
+
+it('can sign url which has special characters in the query parameters', function ($url) {
+    $expiration = 100;
+
+    $signedUrl = $this->urlSigner->sign($url, $expiration);
+
+    expect($this->urlSigner->validate($signedUrl))->toBeTrue();
+})->with([
+    ['https://myapp.com/?foo=bar baz'],
+    ['https://myapp.com/?foo=bar%20baz'],
+    ['https://myapp.com/?foo=bar@baz.com'],
+]);
+
+it('can sign url which has reserved query parameters', function ($url) {
+    $expiration = 100;
+
+    $signedUrl = $this->urlSigner->sign($url, $expiration);
+
+    expect($this->urlSigner->validate($signedUrl))->toBeTrue();
+})->with([
+    ['https://myapp.com/?foo=bar&expires=100&signature=abc123'],
+    ['https://myapp.com/?foo=bar&expires=100'],
+    ['https://myapp.com/?foo=bar&signature=abc123'],
+]);
\ No newline at end of file