CloudFrontSigner doesn't account for wildcard question marks

[WeatherGod]

CloudFrontSigners can be used to sign an url with '*' and '?' wildcards: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html#private-content-custom-policy-statement-cookies-values. The check in _build_url() to figure out whether it is adding a query or appending to an existing query string does not account for this and can result in incorrect results. For example, consider the url "https://example.com/example_202?.zip". Rather than being modified with a new query string "https://example.com/example_202?.zip?SomeParam=foo", it'll be incorrectly turned into "https://example.com/example_202?.zip&SomeParam=foo".

I'm not exactly sure how this should (if at all) be fixed because the wildcard is in direct contradiction with url specs. At the moment, we are working around it by detecting that a wildcard was used and swapping out the first '&' for a '?', but this only works in our case because we know there aren't any query strings to start with with our particular URLs.

[WeatherGod]

The line in question is:

botocore/botocore/signers.py

Line 441 in 1a2ebd8

separator = '&' if '?' in base_url else '?'