fix(basic-auth) accept passwords containing ':' #3014
Conversation
|
Hi, Thank you for the patch! We will try to review it as soon as we can manage some time aside. As a side thought: maybe this could land in the master branch instead? Or do you see any breaking behavior compared to the current behavior of the basic-auth plugin? |
|
@thibaultcha there is no breaking behaviour, so it may perfectly be moved to master. How should I proceed? |
|
@nico-acidtango you can rebase your branch on I already changed this PR to target |
When a password contains one or more ':' characters, the password is truncated up to the first ':' character. This is due to an error while splitting the user:password string. Fix #2986
|
@Tieske thanks for the advise, its done now |
kong/plugins/basic-auth/access.lua
Outdated
| @@ -39,7 +39,7 @@ local function retrieve_credentials(request, header_name, conf) | |||
| if m and m[1] then | |||
| local decoded_basic = ngx.decode_base64(m[1]) | |||
| if decoded_basic then | |||
| local basic_parts = utils.split(decoded_basic, ":") | |||
| local basic_parts = utils.split(decoded_basic, ":", 2) | |||
There was a problem hiding this comment.
A thought while we're visiting this code: this pure Lua split function from penlight is not JITable, which is a (small) concern here on a hot path. Should we consider migrating this to a JITable ngx.re.match implementation?
There was a problem hiding this comment.
@p0pr0ck5 good catch! that would definitely be an improvement to make here while we're at it.
There was a problem hiding this comment.
Thought as much, but not really the scope of this PR, as we try to generally enforce. I'd personally advise making that a subsequent perf contribution. Unless @nico-acidtango feels comfortable making further updates, this fulfills the premise of the PR.
There was a problem hiding this comment.
Sure. My thought was we would end up doing this ourselves anyway, so we could encourage the community to give it a go (in a separate commit in this PR). But I do agree in its current form this is 👍
There was a problem hiding this comment.
No problem guys, I'll change it to use ngx.re.match
kong/plugins/basic-auth/access.lua
Outdated
| local basic_parts = utils.split(decoded_basic, ":") | ||
| username = basic_parts[1] | ||
| password = basic_parts[2] | ||
| local basic_parts, err = ngx.re.match(decoded_basic, "([^:]+):(.+)") |
There was a problem hiding this comment.
Nice, thanks! A few brief thoughts: we may want to localize the "ngx.re.match" function, and we will want to use the "oj" flags as the third param in this call to leverage PCRE JITing and cache the compiled expression. Thanks again!
There was a problem hiding this comment.
Good call, I'll apply those changes too
Better performance in username:password string splitting by using JITable ngx.re.match implementation instead of pure Lua split function from penlight
|
Apart from a few pedantic things that can be fixed at merge this LGTM. @thibaultcha @Tieske any objections to merging? |
|
Sorry for the delay, merged to master with some minor edits! @nico-acidtango Thank you for the patch! |
Summary
When a password contains one or more ':' characters, the password is
truncated up to the first ':' character. This is due to an error
while splitting the user:password string.
Full changelog
Issues resolved
Fix #2986