Fix URL signature

Amir Tocker · Amir Tocker · commit 12fa0e2b4d2e · 2017-11-22T11:54:25.000+02:00
CGI::unescape replaces '+' with a space.
diff --git a/lib/cloudinary/utils.rb b/lib/cloudinary/utils.rb
@@ -397,11 +397,7 @@ def self.unsigned_download_url(source, options = {})
     transformation = transformation.gsub(%r(([^:])//), '\1/')
     if sign_url && ( !auth_token || auth_token.empty?)
       to_sign = [transformation, sign_version && version, source_to_sign].reject(&:blank?).join("/")
-      i = 0
-      while to_sign != CGI.unescape(to_sign) && i <10
-        to_sign = CGI.unescape(to_sign)
-        i = i + 1
-      end
+      to_sign = fully_unescape(to_sign)
       signature = 's--' + Base64.urlsafe_encode64(Digest::SHA1.digest(to_sign + secret))[0,8] + '--'
     end
 
@@ -848,8 +844,24 @@ def self.generate_auth_token(options)
     Cloudinary::AuthToken.generate options
 
   end
+  
   private
 
+
+  # Repeatedly unescapes the source until no more unescaping is possible or 10 cycles elapsed
+  # @param [String] source - a (possibly) escaped string
+  # @return [String] the fully unescaped string
+  # @private
+  def self.fully_unescape(source)
+    i = 0
+    while source != CGI.unescape(source) && i <10
+      source = CGI.unescape(source.gsub('+', '%2B')) # don't let unescape replace '+' with space
+      i = i + 1
+    end
+    source
+  end
+  private_class_method :fully_unescape
+  
   def self.hash_query_params(hash)
     if hash.respond_to?("to_query")
       hash.to_query
diff --git a/spec/utils_spec.rb b/spec/utils_spec.rb
@@ -120,6 +120,17 @@
             .and empty_options
   end
 
+  it "should sign a url" do
+    expected = Cloudinary::Utils.cloudinary_url "some_public_id.jpg", 
+                                     :cloud_name => "test", 
+                                     :api_key => "123456789012345", 
+                                     :api_secret => "AbcdEfghIjklmnopq1234567890", 
+                                     :type => "authenticated", 
+                                     :sign_url => true, 
+                                     :overlay => "text:Helvetica_50:test+text"
+    expect(expected).to eq("http://res.cloudinary.com/test/image/authenticated/s--j5Z1ILxd--/l_text:Helvetica_50:test+text/some_public_id.jpg")
+  end
+
   it "should not sign the url_suffix" do
     expected_signture = Cloudinary::Utils.cloudinary_url("test", :format => "jpg", :sign_url => true).match(/s--[0-9A-Za-z_-]{8}--/).to_s
     expect(["test", { :url_suffix => "hello", :private_cdn => true, :format => "jpg", :sign_url => true }])
