Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(gorgone): Fix httpserver to correctly handle authentication with non-ascii characters #2035

Open
wants to merge 1 commit into
base: dev-24.10.x
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions gorgone/gorgone/modules/core/httpserver/class.pm
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ use warnings;
use gorgone::standard::library;
use gorgone::standard::misc;
use gorgone::standard::api;
use Encode;
use HTTP::Daemon;
use HTTP::Status;
use MIME::Base64;
Expand Down Expand Up @@ -314,6 +315,15 @@ sub authentication {

($header =~ /Basic\s(.*)$/);
my ($user, $password) = split(/:/, MIME::Base64::decode($1), 2);
# This is tricky, and for more context, see
# https://www.perlmonks.org/?node_id=1180100
# Short summary: what we get from MIME::Base64::decode is not UTF-8 yet,
# while the credentials from config files are in UTF-8 and in the modern
# world, a client will use UTF-8 for the string that is encoded in base64
# in the authentication header (see # https://stackoverflow.com/a/7243567).
# So let's move to UTF-8.
$user = Encode::decode_utf8($user);
$password = Encode::decode_utf8($password);
return 1 if (defined($self->{config}->{auth}->{user}) && $user eq $self->{config}->{auth}->{user} &&
defined($self->{config}->{auth}->{password}) && $password eq $self->{config}->{auth}->{password});

Expand Down
Loading