escape backslashes in digest auth quoted-string values#13054
Draft
dxbjavid wants to merge 2 commits into
Draft
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #13054 +/- ##
=======================================
Coverage 98.96% 98.96%
=======================================
Files 131 131
Lines 48156 48166 +10
Branches 2499 2499
=======================================
+ Hits 47656 47666 +10
Misses 376 376
Partials 124 124
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. |
Merging this PR will not alter performance
Comparing Footnotes
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What do these changes do?
escape_quotesin the digest auth middleware only escaped double quotes and left backslashes untouched, so a value taken from a server'sWWW-Authenticatechallenge (realm, nonce or opaque) that ends in or contains a backslash produces a malformed quoted-string in theAuthorizationheader the client sends back. A realm offoo\is emitted asrealm="foo\", where the intended closing quote now reads as an escaped quote, so a compliant quoted-string parser treats the realm as running on into the followingnonce/uri/responsedirectives. A malicious or compromised server can use this to corrupt or smuggle fields in the credentials header the client generates.The rest of the codebase already escapes both characters when building HTTP quoted-strings (see
helpers.content_disposition_headerand the multipart writer), so this just bringsescape_quotesin line with that, escaping the backslash before the quote, and makesunescape_quotesthe exact inverse so the round-trip used when parsing challenges is preserved.Are there changes in behavior for the user?
Only for values that contain a backslash, which were previously encoded incorrectly. Values without a backslash are unchanged.
Is it a substantial burden for the maintainers to support this?
No, it is a two-line change to a pair of helpers.
Related issue number
N/A
Checklist
CONTRIBUTORS.txtCHANGES/folder