Fix verify_api_response_signature backward compatibility

const-cloudinary · const-cloudinary · commit bffecf4b2962 · 2025-06-16T18:14:33.000+03:00
diff --git a/cloudinary/utils.py b/cloudinary/utils.py
@@ -627,15 +627,50 @@ def sign_request(params, options):
     return params
 
 
-def api_sign_request(params_to_sign, api_secret, algorithm=SIGNATURE_SHA1):
-    params = [_encode_param(k + "=" + (
-        ",".join(v) if isinstance(v, list) else
-        str(v).lower() if isinstance(v, bool) else
-        str(v)
-    )) for k, v in params_to_sign.items() if v]
-    to_sign = "&".join(sorted(params))
+def api_sign_request(params_to_sign, api_secret, algorithm=SIGNATURE_SHA1, signature_version=2):
+    """
+    Signs API request parameters using the specified algorithm and signature version.
+    
+    :param params_to_sign: Parameters to include in the signature
+    :param api_secret: API secret key
+    :param algorithm: Signature algorithm (default: SHA1)
+    :param signature_version: Signature version (default: 2)
+        - Version 1: Original behavior without parameter encoding
+        - Version 2+: Includes parameter encoding to prevent parameter smuggling
+    :return: Computed signature
+    """
+    to_sign = api_string_to_sign(params_to_sign, signature_version)
     return compute_hex_hash(to_sign + api_secret, algorithm)
 
+
+def api_string_to_sign(params_to_sign, signature_version=2):
+    """
+    Generates a string to be signed for API requests.
+    
+    :param params_to_sign: Parameters to include in the signature
+    :param signature_version: Version of signature algorithm to use:
+        - Version 1: Original behavior without parameter encoding
+        - Version 2+ (default): Includes parameter encoding to prevent parameter smuggling
+    :return: String to be signed
+    """
+    params = []
+    for k, v in params_to_sign.items():
+        if v:
+            if isinstance(v, list):
+                value = ",".join(v)
+            elif isinstance(v, bool):
+                value = str(v).lower()
+            else:
+                value = str(v)
+            
+            param_string = k + "=" + value
+            if signature_version >= 2:
+                param_string = _encode_param(param_string)
+            params.append(param_string)
+    
+    return "&".join(sorted(params))
+
+
 def _encode_param(value):
     """
     Encodes a parameter for safe inclusion in URL query strings.
@@ -648,6 +683,7 @@ def _encode_param(value):
     """
     return str(value).replace("&", "%26")
 
+
 def breakpoint_settings_mapper(breakpoint_settings):
     breakpoint_settings = copy.deepcopy(breakpoint_settings)
     transformation = breakpoint_settings.get("transformation")
@@ -1587,10 +1623,12 @@ def verify_api_response_signature(public_id, version, signature, algorithm=None)
     parameters_to_sign = {'public_id': public_id,
                           'version': version}
 
+    # Use signature version 1 for backward compatibility
     return signature == api_sign_request(
         parameters_to_sign,
         cloudinary.config().api_secret,
-        algorithm or cloudinary.config().signature_algorithm
+        algorithm or cloudinary.config().signature_algorithm,
+        signature_version=1
     )
 
 
diff --git a/test/test_utils.py b/test/test_utils.py
@@ -1489,6 +1489,45 @@ def test_api_sign_request_prevents_parameter_smuggling(self):
         expected_smuggled_signature = "7b4e3a539ff1fa6e6700c41b3a2ee77586a025f9"
         self.assertEqual(expected_smuggled_signature, signature_smuggled)
 
+    def test_api_sign_request_signature_versions(self):
+        """Should use signature version 1 (without parameter encoding) for backward compatibility"""
+        public_id_with_ampersand = 'tests/logo&version=2'
+        test_version = 1
+        
+        expected_signature_v1 = api_sign_request(
+            {'public_id': public_id_with_ampersand, 'version': test_version},
+            API_SIGN_REQUEST_TEST_SECRET,
+            cloudinary.utils.SIGNATURE_SHA1,
+            signature_version=1
+        )
+        
+        expected_signature_v2 = api_sign_request(
+            {'public_id': public_id_with_ampersand, 'version': test_version},
+            API_SIGN_REQUEST_TEST_SECRET,
+            cloudinary.utils.SIGNATURE_SHA1,
+            signature_version=2
+        )
+        
+        self.assertNotEqual(expected_signature_v1, expected_signature_v2)
+        
+        # verify_api_response_signature should use version 1 for backward compatibility
+        with patch('cloudinary.config', return_value=cloudinary.config(api_secret=API_SIGN_REQUEST_TEST_SECRET)):
+            self.assertTrue(
+                verify_api_response_signature(
+                    public_id_with_ampersand,
+                    test_version,
+                    expected_signature_v1
+                )
+            )
+            
+            self.assertFalse(
+                verify_api_response_signature(
+                    public_id_with_ampersand,
+                    test_version,
+                    expected_signature_v2
+                )
+            )
+
 
 if __name__ == '__main__':
     unittest.main()
