SEC-1446: Malformed Base64 in Basic Authentication header causes BasicAuthenticationFilter to throw a RuntimeException #1679
Labels
in: web
An issue in web modules (web, webmvc)
type: bug
A general bug
type: jira
An issue that was migrated from JIRA
Milestone
Hugh Winkler (Migrated from SEC-1446) said:
Since Base64.decode throws a RuntimeException if it detects bad characters in the input string, org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter throws the RTE if the Authentication header contains malformed base 64. The effect is that http servers return 500 rather than 401.
My fix just adds an additional check by calling Base64.isBase64, and if that fails, continues processing as if the Authentication header were missing.
The text was updated successfully, but these errors were encountered: