Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Not a Bug
Priority: Major
Fix Version/s: None
Affects Version/s: 2.10 GA
Component/s: Gateway
Labels:

Blocked:
False
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
Release Note Text:
Undefined

SFDC Cases Counter:
SFDC Cases Links:

Description

Any value that is passed as xxxx to the Authorization header as:

Authorization: Basic xxxx

Authorizes the requests even if the string is an invalid base64, as long as it starts with the correct credentials, for example:

Valid request:

curl -k "https://basicauth-3scale-apicast-staging.amp210.apps-crc.testing:443/" -H "Authorization: Basic MTVjZmFlNjU6ZGZkNDMxZjEyMDhlYzllMmVmYzM4ODI2ZmJjYjk3ZjU"

This request uses "wrong" credentials but Auth succeeds:

curl -k "https://basicauth-3scale-apicast-staging.amp210.apps-crc.testing:443/" -H "Authorization: Basic MTVjZmFlNjU6ZGZkNDMxZjEyMDhlYzllMmVmYzM4ODI2ZmJjYjk3ZjU==foo"

This request uses wrong credentials but with a valid base64 and Auth fails as expected

curl -k "https://basicauth-3scale-apicast-staging.amp210.apps-crc.testing:443/" -H "Authorization: Basic MTVjZmFlNjU6ZGZkNDMxZjEyMDhlYzllMmVmYzM4ODI2ZmJjYjk3ZjUwYXNk"

I believe what is happening is that here the method decode_base64 is ignoring invalid inputs and accepting the string, parsing the valid part of the input into the password. According to this it should return nil if str is not well formed.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Samuele Illuminati (Inactive)

Designer:: Eloy Coto (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2021/06/23 10:59 AM

Updated:: 2021/10/24 6:34 AM

Resolved:: 2021/08/10 12:18 PM