S3_URL with slash in secret key

awh-tokyo · October 8, 2025, 3:27am

I think I may have uncovered a bug, but I’m not confident so asking here:

Infos:

Used Zammad version: 6.5.0
Used Zammad installation type: docker (portainer)
Operating system: Amazon Linux 2023
Browser + version: Chrome, something recent-ish but I don’t think that’s relevant here.

Expected behavior:

Setting S3_URL with an access key containing ‘/’ allows connection

Actual behavior:

Setting S3_URL with an access key containing ‘/’ gives various errors.

Further details:

AWS can create IAM credentials with ‘/’ as part of the secret key. Setting this in the URL gives the error “bad URI(is not URI?)”.

In the Ruby console we can see that the password component of the URI must be escaped for it to be parsed:

3.3.3 :020 > u = URI('https://user:secret/password@example.com/hello?region=foo')
(irb):20:in `<main>': bad URI(is not URI?): "https://user:secret/password@example.com/hello?region=foo" (URI::InvalidURIError)
3.3.3 :021 > u = URI('https://user:secret%2Fpassword@example.com/hello?region=foo')
 => #<URI::HTTPS https://user:secret%2Fpassword@example.com/hello?region=foo>
3.3.3 :022 >

However, when querying the object for the username and password, the slash remains escaped:

3.3.3 :022 > u.user
 => "user"
3.3.3 :023 > u.password
 => "secret%2Fpassword"
3.3.3 :024 >

In Zammad, setting the URL with the slash escaped with %2F gets rid of the “Invalid URI” error but instead gives authentication errors.

I believe the source file zammad/lib/zammad/service/configuration.rb uses the username and password without unescaping here (at approximately line 126):

        def template(uri)
          case @adapter
          when 's3'
            {
              bucket:            uri.path.present? ? uri.path.sub(%r{^/}, '') : nil,
              endpoint:          "#{uri.scheme}://#{uri.host}" + (uri.port.present? ? ":#{uri.port}" : ''),
              access_key_id:     uri.user.presence,
              secret_access_key: uri.password.presence,
            }
          else
            {}
          end
        end

My question is: Am I missing something?

I’m in a hurry, so I’ll probably just get S3 to regenerate more keys until I can get one without a slash, but is there some other secret to getting a slash to work in the access key?

dominikklein · October 8, 2025, 11:25am

We will take a look at it, but it looks like a broken situation.

MrGeneration · October 8, 2025, 5:27pm

See S3_URL fails with AWS secret keys containing "/" · Issue #5813 · zammad/zammad · GitHub

bialaps · October 10, 2025, 11:29am

@awh-tokyo I’m happy to let you know that we’ve fixed the issue. The update will be available soon - thanks a lot for reporting and for using Zammad!