cwinfo/powerdns-admin
5
0
Fork 0
mirror of https://github.com/cwinfo/powerdns-admin.git synced 2024-11-09 23:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth:basic): Basic auth exception handling improvement

Browse Source 
Currently passing an invalid Basic auth header (random string base64 encoded) would result in an exception being raised due to a username, password = auth_header.split().

Similary passing a `Digest` authentication type would result in an exception as there is no :.

Thirdly passing invalid base64 encoded UTF-8 code sequences would result in exceptions as this issue (#1424).

I added code to check explicitly that we are doing basic authentication then by checking the number of entries returned by the split.

I also added exception handling for invalid UTF-8 code sequence exceptions.

Tested with a fuzzer.

Tested with valid and invalid credentials.

This fixes #1424.
This commit is contained in:
Nigel Kukard 2023-03-14 23:48:25 +00:00
parent 73447d396a
commit 17e3a8f942
1 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
powerdnsadmin/routes/base.py
View File

@ -60,15 +60,31 @@ def login_via_authorization_header_or_remote_user(request):
# Try to login using Basic Authentication # Try to login using Basic Authentication
auth_header = request.headers.get('Authorization') auth_header = request.headers.get('Authorization')
if auth_header: if auth_header:
if auth_header[:6] != "Basic ":
return None
auth_method = request.args.get('auth_method', 'LOCAL') auth_method = request.args.get('auth_method', 'LOCAL')
auth_method = 'LDAP' if auth_method != 'LOCAL' else 'LOCAL' auth_method = 'LDAP' if auth_method != 'LOCAL' else 'LOCAL'
auth_header = auth_header.replace('Basic ', '', 1)
# Remove "Basic " from the header value
auth_header = auth_header[6:]
try: try:
auth_header = str(base64.b64decode(auth_header), 'utf-8') auth_header = str(base64.b64decode(auth_header), 'utf-8')
username, password = auth_header.split(":") except (UnicodeDecodeError, TypeError) as e:
except TypeError as e:
return None return None
# NK: We use auth_components here as we don't know if we'll have a :, we split it maximum 1 times to grab the
# username, the rest of the string would be the password.
auth_components = auth_header.split(':', maxsplit=1)
# If we don't have two auth components (username, password), we can return
if len(auth_components) != 2:
return None
(username, password) = auth_components
user = User(username=username, user = User(username=username,
password=password, password=password,
plain_text_password=password) plain_text_password=password)