diff --git a/changelog/unreleased/PR#4553-pki-v2-header-base64-fix.yml b/changelog/unreleased/PR#4553-pki-v2-header-base64-fix.yml new file mode 100644 index 000000000000..9e503d01e704 --- /dev/null +++ b/changelog/unreleased/PR#4553-pki-v2-header-base64-fix.yml @@ -0,0 +1,7 @@ +title: PKIAuthenticationPlugin now rejects a SolrAuthV2 header with a malformed signature using a 401 response, instead of returning a 500 +type: fixed +authors: + - name: Jan Høydahl +links: + - name: PR#4553 + url: https://github.com/apache/solr/pull/4553 diff --git a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java index 7c2eb80c28b9..aef49c122ff3 100644 --- a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java +++ b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java @@ -209,7 +209,13 @@ private PKIHeaderData decipherHeaderV2(String header) { int sigStart = header.lastIndexOf(' '); String data = header.substring(0, sigStart); - byte[] sig = Base64.getDecoder().decode(header.substring(sigStart + 1)); + byte[] sig; + try { + sig = Base64.getDecoder().decode(header.substring(sigStart + 1)); + } catch (IllegalArgumentException e) { + log.warn("Could not parse signature in SolrAuthV2 header as base64"); + return null; + } PKIHeaderData rv = validateSignature(data, sig, key, false); if (rv == null) { log.warn("Failed to verify signature, trying after refreshing the key "); diff --git a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java index cff82ba6e7ab..b19750cb5642 100644 --- a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java +++ b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java @@ -207,6 +207,23 @@ public void testLegacyV1HeaderRejected() throws Exception { "Should not have proceeded after authentication failure", wrappedRequestByFilter.get()); } + @Test + public void testMalformedV2HeaderSignatureRejected() throws Exception { + headerValue.set(nodeName + " someuser 1234567890 not_base64!!!"); + + HttpServletResponse response = mock(HttpServletResponse.class); + assertFalse( + "Should have rejected request with a non-base64 signature", + mock.authenticate(mockReq, response, filterChain)); + + verify(response) + .setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), PKIAuthenticationPlugin.HEADER_V2); + verify(response).sendError(ArgumentMatchers.eq(401), anyString()); + + assertNull( + "Should not have proceeded after authentication failure", wrappedRequestByFilter.get()); + } + private HttpServletRequest createMockRequest(final AtomicReference headerValue) { HttpServletRequest mockReq = mock(HttpServletRequest.class); when(mockReq.getHeader(any(String.class)))