Hi all,
TL;DR - we need to tighten up parsing of BASIC authentication headers.
When I switched out Tomcat's Base64 handling for the built-in JRE
handling, I noticed that BASIC authentication was using a very relaxed
version of the Base64 decoder. That seemed odd, so I replaced it with
the standard Base64 decoder. That broke a bunch of tests so I switched
to the MIME decoder (the most relaxed) which fixed most - but not all -
of the issues. Then I started look at what the tests were testing and
the relevant RFCs.
The current RFC for HTTP BASIC authentication is RFC 7617. This in turn
references numerous other RFCs, most notably RFC 7235 (HTTP
Authentication) and RFC 4648 (Base64). Taken together these require that
the format of the Authorization header is:
- The token "Basic"
- Exactly 1 space
- The base64 encoding of username:password
Tomcat's current implementation is based on RFC 2617 and allows the
following:
- white space around the base64
- allows embedded line breaks in the base64
- missing padding
- illegal characters in the base64 (ignored)
- illegal characters in the base64 padding (ignored)
- excessive padding
- whitespace around the decoded password
I don't see any of the above causing issues apart from the last one
which prevents the use of passwords with leading or trailing whitespace.
This is mostly of a cleaning up exercise so the switch to Java's base64
decoder is simpler.
Before I merge the change to use the JRE's Base64 encoder, I intend to
tighten up the parsing of Basic authentication headers. I intend to do
this for all currently supported versions.
Any objections?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
