auth: exclude additional hop-by-hop headers from SigV4 signing (boto#3643)

jonathan343 · web-flow · commit d94d17849bda · 2026-03-03T21:51:33.000-05:00
diff --git a/.changes/next-release/enhancement-auth-88913.json b/.changes/next-release/enhancement-auth-88913.json
@@ -0,0 +1,5 @@
+{
+  "type": "enhancement",
+  "category": "auth",
+  "description": "Exclude additional hop-by-hop headers from SigV4 signing to prevent signature mismatches when intermediaries mutate transport headers (connection, keep-alive, proxy-authenticate, proxy-authorization, TE, trailer, upgrade)."
+}
diff --git a/botocore/auth.py b/botocore/auth.py
@@ -62,8 +62,15 @@
 ISO8601 = '%Y-%m-%dT%H:%M:%SZ'
 SIGV4_TIMESTAMP = '%Y%m%dT%H%M%SZ'
 SIGNED_HEADERS_BLACKLIST = [
+    'connection',
     'expect',
+    'keep-alive',
+    'proxy-authenticate',
+    'proxy-authorization',
+    'te',
+    'trailer',
     'transfer-encoding',
+    'upgrade',
     'user-agent',
     'x-amzn-trace-id',
 ]
diff --git a/tests/unit/auth/test_signers.py b/tests/unit/auth/test_signers.py
@@ -386,7 +386,12 @@ def _test_blocklist_header(self, header, value):
         )
         auth = self.AuthClass(credentials, 's3', 'us-east-1')
         auth.add_auth(request)
-        self.assertNotIn(header, request.headers['Authorization'])
+        signed_headers = (
+            request.headers['Authorization']
+            .split('SignedHeaders=', 1)[1]
+            .split(',', 1)[0]
+        )
+        self.assertNotIn(header.lower(), signed_headers.split(';'))
 
     def test_blocklist_expect_headers(self):
         self._test_blocklist_header('expect', '100-continue')
@@ -402,6 +407,31 @@ def test_blocklist_user_agent_header(self):
     def test_blocklist_transfer_encoding_header(self):
         self._test_blocklist_header('transfer-encoding', 'chunked')
 
+    def test_blocklist_connection_header(self):
+        self._test_blocklist_header('connection', 'keep-alive')
+
+    def test_blocklist_keep_alive_header(self):
+        self._test_blocklist_header('keep-alive', 'timeout=5')
+
+    def test_blocklist_proxy_authenticate_header(self):
+        self._test_blocklist_header(
+            'proxy-authenticate', 'Basic realm="proxy.example.com"'
+        )
+
+    def test_blocklist_proxy_authorization_header(self):
+        self._test_blocklist_header(
+            'proxy-authorization', 'Basic YWxhZGRpbjpvcGVuc2VzYW1l'
+        )
+
+    def test_blocklist_te_header(self):
+        self._test_blocklist_header('te', 'trailers')
+
+    def test_blocklist_trailer_header(self):
+        self._test_blocklist_header('trailer', 'x-amz-checksum-sha256')
+
+    def test_blocklist_upgrade_header(self):
+        self._test_blocklist_header('upgrade', 'websocket')
+
     def test_uses_sha256_if_config_value_is_true(self):
         self.client_config.s3['payload_signing_enabled'] = True
         self.auth.add_auth(self.request)
