fix: normalize CRLF line endings in htpasswd basic auth secrets by stekole · Pull Request #8557 · envoyproxy/gateway

stekole · 2026-03-19T10:56:03Z

What type of PR is this?

fix: normalize CRLF line endings in htpasswd basic auth secrets

What this PR does / why we need it:

When an .htpasswd Secret uses CRLF line endings, the \r character is included in the SHA hash passed to Envoy. Envoy rejects the xDS update with invalid htpasswd format, invalid SHA hash length, but the SecurityPolicy incorrectly reports Accepted: True.

This PR normalizes CRLF (\r\n) to LF (\n) in the htpasswd bytes before validation and passing to the IR, so Envoy receives clean hash values regardless of the line ending format used.

Which issue(s) this PR fixes:

Fixes #8554

Release Notes: Yes

Fixes envoyproxy#8554 Signed-off-by: stekole <stefan@sandnetworks.com>

netlify · 2026-03-19T10:56:50Z

❌ Deploy Preview for cerulean-figolla-1f9435 failed.

Name	Link
🔨 Latest commit	`704fe80`
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69c09d66960c870008982001

codecov · 2026-03-19T11:11:24Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@4b72902). Learn more about missing BASE report.
⚠️ Report is 53 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8557   +/-   ##
=======================================
  Coverage        ?   74.13%           
=======================================
  Files           ?      242           
  Lines           ?    37785           
  Branches        ?        0           
=======================================
  Hits            ?    28011           
  Misses          ?     7818           
  Partials        ?     1956

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Signed-off-by: stekole <30674956+stekole@users.noreply.github.com>

arkodg

LGTM thanks

jukie

Thanks!

…yproxy#8557) Fixes envoyproxy#8554 Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>

* fix: avoid metric increments on no-op delete reconcile paths (#8480) * fix: avoid metric increments on no-op delete reconcile paths Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> * Update internal/infrastructure/kubernetes/infra_resource_test.go Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> * Update internal/infrastructure/kubernetes/infra_resource_test.go Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> --------- Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> Co-authored-by: Isaac Wilson <isaac.wilson514@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: restore failure-path metric recording for delete and HPA reconcile (#8656) Fixes #8651 Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: helm secrets rbac for gateway namespace with watch list of namespaces (#8706) * fix: helm secrets rbac for gateway namespace with watch list of namespaces Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add release notes Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * review update Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: handle network errors in rate limit e2e tests (#8446) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: propagate the HTTPFilter translation errors to the outer layer (#7556) * progate the HTTPFilter validation errors to the outer layer Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: return 500 error for invalid filters (#7605) return 500 error for invalid filters Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: prevent configuring requestMirror filter and directResponse/RequestRedirect filter together (#7474) * fix: prevent configuring RequestMirror and DirectResponse filters together Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> check redirect respose filter Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> --------- Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix bug with grpcroute mirror filter (#8541) * fix bug with grpcroute mirror filter Signed-off-by: Adam Buran <aburan@roblox.com> * add indexers test Signed-off-by: Adam Buran <aburan@roblox.com> * add release note Signed-off-by: Adam Buran <aburan@roblox.com> --------- Signed-off-by: Adam Buran <aburan@roblox.com> Signed-off-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: normalize CRLF line endings in htpasswd basic auth secrets (#8557) Fixes #8554 Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: status for mirror backend (#8675) Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: set HTTPRoute Accepted condition as true with mixed invalid and valid rules (#7625) * set HTTPRoute Accepted condition as true with mixed invalid and valid rules Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * fix: basic auth validation (#8053) * fix basic auth validation Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> * [release/v1.6] fix gen check Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> --------- Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com> Signed-off-by: Adam Buran <aburan@roblox.com> Signed-off-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: Felipe Sabadini <fsabadini@hotmail.com> Co-authored-by: Isaac Wilson <isaac.wilson514@gmail.com> Co-authored-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com> Co-authored-by: aburanrbx <aburan@roblox.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: stekole <30674956+stekole@users.noreply.github.com> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com>

…yproxy#8557) Fixes envoyproxy#8554 Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> (cherry picked from commit 9cac348)

…yproxy#8557) Fixes envoyproxy#8554 Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> (cherry picked from commit 9cac348) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com>

* fix: handle network errors in rate limit e2e tests (#8446) Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit b0638d5) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * refactor/perf: use LuaPerRoute instead of FilterConfig (#8355) perf: use LuaPerRoute instead of FilterConfig Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit f31ac4e) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: per-endpoint hostname override blocked by auto-generated wildcad host (#8565) * fix: per-endpoint hostname override blocked by auto-generated wildcard host Signed-off-by: zirain <zirain2009@gmail.com> * add UT Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 595010a) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix bug with grpcroute mirror filter (#8541) * fix bug with grpcroute mirror filter Signed-off-by: Adam Buran <aburan@roblox.com> * add indexers test Signed-off-by: Adam Buran <aburan@roblox.com> * add release note Signed-off-by: Adam Buran <aburan@roblox.com> --------- Signed-off-by: Adam Buran <aburan@roblox.com> Signed-off-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> (cherry picked from commit e633c08) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: normalize CRLF line endings in htpasswd basic auth secrets (#8557) Fixes #8554 Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> (cherry picked from commit 9cac348) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: avoid metric increments on no-op delete reconcile paths (#8480) * fix: avoid metric increments on no-op delete reconcile paths Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> * Update internal/infrastructure/kubernetes/infra_resource_test.go Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> * Update internal/infrastructure/kubernetes/infra_resource_test.go Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> --------- Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> Co-authored-by: Isaac Wilson <isaac.wilson514@gmail.com> (cherry picked from commit 7a2a4ec) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix(telemetry): support BackendTLSPolicy for telemetry backends (#8545) * fix(telemetry): support BackendTLSPolicy for telemetry backends processBackendRefs does not look up BackendTLSPolicy for telemetry backends (access logs, tracing, metrics), so TLS can only be configured via Backend.spec.tls. Replace inline processServerValidationTLSSettings with applyBackendTLSSetting so telemetry backends get the full Backend + BackendTLSPolicy + EnvoyProxy TLS merge. Workaround: envoyproxy/ai-gateway#1964 Signed-off-by: Adrian Cole <adrian@tetrate.io> (cherry picked from commit ac18feb) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: restore failure-path metric recording for delete and HPA reconcile (#8656) Fixes #8651 Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> (cherry picked from commit 2a5bfd0) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: status for mirror backend (#8675) Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> (cherry picked from commit fa81778) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy extAuth Backend (#8654) * fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy extAuth Backend Signed-off-by: zirain <zirain2009@gmail.com> * fix lint Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit c7e21fa) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy jwt/oidc Backend (#8711) Signed-off-by: zirain <zirain2009@gmail.com> (cherry picked from commit 95c3a79) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix: helm secrets rbac for gateway namespace with watch list of namespaces (#8706) * fix: helm secrets rbac for gateway namespace with watch list of namespaces Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add release notes Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * review update Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> (cherry picked from commit c48a346) Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * add release notes Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> * fix lint Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> --------- Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Signed-off-by: Karol Szwaj <karol.szwaj@gmail.com> Signed-off-by: zirain <zirain2009@gmail.com> Signed-off-by: Adam Buran <aburan@roblox.com> Signed-off-by: Arko Dasgupta <arkodg@users.noreply.github.com> Signed-off-by: stekole <stefan@sandnetworks.com> Signed-off-by: stekole <30674956+stekole@users.noreply.github.com> Signed-off-by: Felipe Sabadini Facina <fsabadini@hotmail.com> Signed-off-by: Isaac Wilson <isaac.wilson514@gmail.com> Signed-off-by: Adrian Cole <adrian@tetrate.io> Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com> Co-authored-by: aburanrbx <aburan@roblox.com> Co-authored-by: Arko Dasgupta <arkodg@users.noreply.github.com> Co-authored-by: stekole <30674956+stekole@users.noreply.github.com> Co-authored-by: Felipe Sabadini <fsabadini@hotmail.com> Co-authored-by: Isaac Wilson <isaac.wilson514@gmail.com> Co-authored-by: Adrian Cole <64215+codefromthecrypt@users.noreply.github.com> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com>

fix: normalize CRLF line endings in htpasswd basic auth secrets

a9f60e3

Fixes envoyproxy#8554 Signed-off-by: stekole <stefan@sandnetworks.com>

stekole requested a review from a team as a code owner March 19, 2026 10:56

Merge branch 'main' into fix/basic-auth-crlf

704fe80

Signed-off-by: stekole <30674956+stekole@users.noreply.github.com>

arkodg approved these changes Mar 23, 2026

View reviewed changes

arkodg added this to the v1.8.0-rc.1 Release milestone Mar 23, 2026

arkodg added cherrypick/release-v1.6.5 cherrypick/release-v1.7.2 labels Mar 23, 2026

arkodg requested review from a team March 23, 2026 03:44

jukie approved these changes Mar 23, 2026

View reviewed changes

jukie merged commit 9cac348 into envoyproxy:main Mar 23, 2026
32 of 36 checks passed

jukie added cherrypick/release-v1.6.6 and removed cherrypick/release-v1.6.5 labels Apr 2, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: normalize CRLF line endings in htpasswd basic auth secrets#8557

fix: normalize CRLF line endings in htpasswd basic auth secrets#8557
jukie merged 2 commits intoenvoyproxy:mainfrom
stekole:fix/basic-auth-crlf

stekole commented Mar 19, 2026 •

edited

Loading

Uh oh!

netlify bot commented Mar 19, 2026 •

edited

Loading

Uh oh!

codecov bot commented Mar 19, 2026 •

edited

Loading

Uh oh!

arkodg left a comment

Uh oh!

jukie left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

stekole commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

netlify bot commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

❌ Deploy Preview for cerulean-figolla-1f9435 failed.

Uh oh!

codecov bot commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

arkodg left a comment

Choose a reason for hiding this comment

Uh oh!

jukie left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

stekole commented Mar 19, 2026 •

edited

Loading

netlify bot commented Mar 19, 2026 •

edited

Loading

codecov bot commented Mar 19, 2026 •

edited

Loading