Mark,
On 4/16/24 03:18, Mark Thomas wrote:
TL;DR - we need to tighten up parsing of BASIC authentication headers.
When I switched out Tomcat's Base64 handling for the built-in JRE
handling, I noticed that BASIC authentication was using a very relaxed
version of the Base64 decoder. That seemed
On 16/04/2024 08:18, Mark Thomas wrote:
Tomcat's current implementation is based on RFC 2617 and allows the
following:
- white space around the base64
- allows embedded line breaks in the base64
- missing padding
- illegal characters in the base64 (ignored)
- illegal characters in the base64
Hi all,
TL;DR - we need to tighten up parsing of BASIC authentication headers.
When I switched out Tomcat's Base64 handling for the built-in JRE
handling, I noticed that BASIC authentication was using a very relaxed
version of the Base64 decoder. That seemed odd, so I replaced it with
the sta
