Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-4760

Dash and underscore are treated as the same character in API Key authentication

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Critical Critical
    • None
    • 2.7 GA, SaaS
    • Gateway, System
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Hide

      From the admin portal Service configuration:

        Authentication : `API Key`
  Auth user key : `_____`
  Credentials location = `As HTTP Headers`

      Send a request with a key that is a different combination of dashes and underscores:

      curl "<PUBLIC BASE URL>" -H'_-_-_: <USER_KEY>'

      The user_key (with a name that is different from the one configured) will be accepted.

      Show
      From the admin portal Service configuration: Authentication : `API Key` Auth user key : `_____` Credentials location = `As HTTP Headers` Send a request with a key that is a different combination of dashes and underscores: curl "<PUBLIC BASE URL>" -H'_-_-_: <USER_KEY>' The user_key (with a name that is different from the one configured) will be accepted.

      Dash `-` and underscore `_` characters are matched as the same character in the user_key parameter name when the credentials location is set to HTTP Headers.

      For example, the string `user_key` would be accepted as a valid user key even if `Auth user key` is set to accept the `user-key` name. The same way, 

      _-_-_

      can be used instead of 

      _____

      , etc.

              Unassigned Unassigned
              rhn-support-sillumin Samuele Illuminati (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: