reschke commented on code in PR #2983:
URL: https://github.com/apache/jackrabbit-oak/pull/2983#discussion_r3496937606


##########
oak-http/src/main/java/org/apache/jackrabbit/oak/http/AuthorizationField.java:
##########
@@ -44,11 +45,30 @@ public static SimpleCredentials valueOf(Enumeration<String> 
values) throws Login
         return parseCredentials(field);
     }
 
-    private static SimpleCredentials parseCredentials(String fieldValue) 
throws LoginException {
-        if (fieldValue.startsWith("Basic ")) {
-            String[] basic =
-                    Base64.decode(fieldValue.substring("Basic 
".length())).split(":");
-            return new SimpleCredentials(basic[0], basic[1].toCharArray());
+    private static SimpleCredentials parseCredentials(String rawFieldValue) 
throws LoginException {
+        boolean hasControls = rawFieldValue.chars().anyMatch(c -> c < ' ');
+        if (hasControls) {
+            throw new LoginException("Control characters are not allowed");
+        }
+
+        String fieldValue = rawFieldValue.trim().replaceAll(" +", " ");
+
+        if (fieldValue.toLowerCase(Locale.ENGLISH).startsWith("basic ")) {
+            String token68 = fieldValue.substring("basic ".length());
+            try {
+                String decoded = new 
String(Base64.getDecoder().decode(token68), StandardCharsets.UTF_8);
+                int colon = decoded.indexOf(':');
+                if (colon < 0) {
+                    throw new LoginException(
+                            "Malformed Basic credentials: missing ':' 
separator");
+                }
+                String userId = decoded.substring(0, colon);
+                String password = decoded.substring(colon + 1);
+
+                return new SimpleCredentials(userId, password.toCharArray());
+            } catch (IllegalArgumentException ex) {
+                throw new LoginException(ex.getMessage());

Review Comment:
   So the attacker sends a field value with broken base 64, and the message 
contains the offset of the part that is broken. Where's the issue here?
   
   (halluscinating AI maybe?)
   
   (and no, attackers having access to our log files would be a huge ops 
problem, and we would have to change many many pieces in Oak would that be a 
problem)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to