Asked 1 month ago by InterstellarMariner356
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
I am encountering a 403 Forbidden error from S3 when uploading files whose filenames include Unicode characters (like ä). The backend code generates a presigned URL and includes the raw filename in the metadata, while the front-end sends a PUT request with that metadata. This works fine for ASCII-only filenames but fails with Unicode characters, and I only managed to work around it by converting Unicode characters (e.g., turning ä into a).
Here’s the backend PHP code that generates the presigned URL:
PHP$userId = ...; // Irrelevant. $filename = ...; // Comes from POST data. $safeName = trim(preg_replace('/[^a-z0-9\-_.]/i', '-', $filename), '-'); // AWS only allows specific characters in key. $key = sprintf('user-documents/%s/%s', $userId, $safeName); $metadata = [ 'type' => 'USER_DOCUMENT', 'userId' => $userId, 'filename' => $filename, // The raw one from POST. ]; $s3 = new S3Client([ 'region' => getenv('AWS_REGION'), 'version' => 'latest', 'credentials' => CredentialProvider::env(), ]); $uploadUrl = $s3->createPresignedRequest( $s3->getCommand('PutObject', [ 'Bucket' => getenv('AWS_BUCKET_USER_DATA'), 'Key' => $key, 'Metadata' => $metadata, ]), '+1 hour', )->getUri(); $response = [ 'uploadUrl' => $uploadUrl, 'metadata' => $metadata, ];
And here is the frontend JavaScript code that uploads the file to S3:
JAVASCRIPTconst file = fileInput.files[0]; const response = await getUploadUrl(file.name); // This is where the POST filename comes from. await fetch(response.uploadUrl, { method: 'PUT', headers: { 'x-amz-meta-type': response.metadata.type, 'x-amz-meta-userid': response.metadata.userId, 'x-amz-meta-filename': response.metadata.filename }, body: file, }).then(resp => { if (!resp.ok) { throw new Error('File upload failed: ' + resp.status + ' ' + resp.statusText) } });
The presigned URL itself contains the URL-encoded original filename, and I expected AWS to decode it correctly. However, when the metadata header contains the Unicode filename, its encoding at the time of the PUT request seems to differ from what was signed, leading to a signature mismatch and therefore a 403 error.
I am looking for guidance on what I need to change in my code to avoid this issue with Unicode filenames. Should I sanitize the filename in the metadata (using the $safeName) or is there a way to ensure consistent encoding throughout the signing and request process?
aws/aws-sdk-php@3.334.2 might be relevant.
Comments 0
•Answers 3
•Views 88
Answer by 
TychoAI Agent • 1 month ago
The issue is not with the presigned URL per se but with the metadata header—in this case, the x‑amz‑meta‑filename—that contains non‐ASCII characters. When you generate a presigned URL, the SDK signs the request including all headers (including metadata). If the header (or its encoding) changes between signing and the actual request (as happens when non‐ASCII characters are present), the signature doesn’t match and S3 returns 403.
There are two main approaches:
Simplest fix: use your sanitized version (i.e. $safeName) for the metadata as well, so that both the presigning and later request use the same ASCII‑only string.
PHP$metadata = [ 'type' => 'USER_DOCUMENT', 'userId' => $userId, 'filename' => $safeName, // Use ASCII only. ];
This ensures that the header value used when creating the presigned URL exactly matches what the client sends.
If you need to preserve the original filename with the Unicode characters, you must ensure that both the signing and the actual request use exactly the same encoding. This means you would need to encode the metadata (for example, percent‑encoding or base64‑encoding) and then decode it later when reading from S3.
For example, you might do:
PHP// Encode the filename (you can choose an encoding method appropriate to your needs) $encodedFilename = rawurlencode($filename); $metadata = [ 'type' => 'USER_DOCUMENT', 'userId' => $userId, 'filename' => $encodedFilename, ];
And then on retrieval, decode it accordingly. This guarantees that the header value is strictly ASCII and that the code signing and actual header match exactly.
To solve your issue, the simplest approach is to change your code so that the metadata header (x‑amz‑meta‑filename) uses an ASCII‑only string (such as $safeName) rather than the raw Unicode filename. This prevents any encoding mismatches between the presigned URL creation and the actual PUT request, avoiding the 403 error.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by SaturnianCollector143 • 1 month ago
By following information about RFC 2047 from @hakre's answer, I found the following package that encodes strings into the RFC 2047 "Q" encoding, but it depends on another package. IMO this is too much for a few characters in rare cases, but it might be useful for other people, so I'm leaving it here for them. Using this library, one would only need to escape the headers values in the PUT request.
Instead of adding multiple new dependencies, I have chosen to just convert those characters into ASCII by using this package that I'm already using in backend instead.
The required changes then look like this:
PHP$pathinfo = pathinfo($filename); $safeName = (new Slugify())->slugify($pathinfo['filename']) . '.' . $pathinfo['extension']; ... $metadata = [ ... 'filename' => $safeName, // Changed from `$filename`. ];
Everything else stays the same. This has the unfortunate drawback that the original filenames will not be preserved anywhere (AWS does not allow Unicode characters in key and metadata headers are not being URL-decoded on AWS end), which could be a problem if I was dealing with filenames in Arabic or something like that, but I'm not, so in my case it's close enough (Extended Latin to ASCII).
It's a damn shame that fetch() throws an error instead of just encoding the headers in Q encoding like they're supposed to be encoded...
No comments yet.
Answer by NeutronTraveler305 • 1 month ago
Using x-amz-meta-filename suggests that the user-provided meta-data is transferred via HTTP request headers.
Those values require encoding per RFC 2047 - MIME (Multipurpose Internet Mail Extensions) Part Three: Message Header Extensions for Non-ASCII Text (ietf.org) first.
Explanation and examples can be found in User-defined object metadata (amazon.com).
One Idea was to use the Base64 encoding and do the wrapping/quoting/envelope with string concatenation:
JAVASCRIPT{ method: 'PUT', headers: { 'x-amz-meta-type': response.metadata.type, 'x-amz-meta-userid': response.metadata.userId, 'x-amz-meta-filename': `=?UTF-8?B?${btoa(Array.from(new TextEncoder().encode( response.metadata.filename ), b => String.fromCodePoint(b)).join(''))}?=` }, body: file, }
But this does not work with AWS (via comment, just note taking.)
No comments yet.
No comments yet.
