From 0bf2f21e3161a776183f104b4f808813d2c8ed64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Sat, 27 Jun 2026 01:47:34 +0200 Subject: [PATCH 1/2] PKIAuthenticationPlugin: handle non-base64 SolrAuthV2 signature gracefully Wrap the base64 decode of the signature token in decipherHeaderV2 in a try/catch so a malformed (non-base64) value returns null and results in a generic 401, instead of propagating an IllegalArgumentException that surfaces as a 500. Mirrors the existing NumberFormatException handling for the timestamp parsing. Adds a regression test. --- .../unreleased/pki-v2-header-base64-fix.yml | 4 ++++ .../solr/security/PKIAuthenticationPlugin.java | 8 +++++++- .../security/TestPKIAuthenticationPlugin.java | 17 +++++++++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/pki-v2-header-base64-fix.yml diff --git a/changelog/unreleased/pki-v2-header-base64-fix.yml b/changelog/unreleased/pki-v2-header-base64-fix.yml new file mode 100644 index 000000000000..c2d5fb449691 --- /dev/null +++ b/changelog/unreleased/pki-v2-header-base64-fix.yml @@ -0,0 +1,4 @@ +title: PKIAuthenticationPlugin now rejects a SolrAuthV2 header with a malformed signature using a 401 response, instead of returning a 500 +type: fixed +authors: + - name: Jan Høydahl diff --git a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java index 7c2eb80c28b9..aef49c122ff3 100644 --- a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java +++ b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java @@ -209,7 +209,13 @@ private PKIHeaderData decipherHeaderV2(String header) { int sigStart = header.lastIndexOf(' '); String data = header.substring(0, sigStart); - byte[] sig = Base64.getDecoder().decode(header.substring(sigStart + 1)); + byte[] sig; + try { + sig = Base64.getDecoder().decode(header.substring(sigStart + 1)); + } catch (IllegalArgumentException e) { + log.warn("Could not parse signature in SolrAuthV2 header as base64"); + return null; + } PKIHeaderData rv = validateSignature(data, sig, key, false); if (rv == null) { log.warn("Failed to verify signature, trying after refreshing the key "); diff --git a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java index cff82ba6e7ab..b19750cb5642 100644 --- a/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java +++ b/solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java @@ -207,6 +207,23 @@ public void testLegacyV1HeaderRejected() throws Exception { "Should not have proceeded after authentication failure", wrappedRequestByFilter.get()); } + @Test + public void testMalformedV2HeaderSignatureRejected() throws Exception { + headerValue.set(nodeName + " someuser 1234567890 not_base64!!!"); + + HttpServletResponse response = mock(HttpServletResponse.class); + assertFalse( + "Should have rejected request with a non-base64 signature", + mock.authenticate(mockReq, response, filterChain)); + + verify(response) + .setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), PKIAuthenticationPlugin.HEADER_V2); + verify(response).sendError(ArgumentMatchers.eq(401), anyString()); + + assertNull( + "Should not have proceeded after authentication failure", wrappedRequestByFilter.get()); + } + private HttpServletRequest createMockRequest(final AtomicReference headerValue) { HttpServletRequest mockReq = mock(HttpServletRequest.class); when(mockReq.getHeader(any(String.class))) From 9254b77d77041dd15f2595b70db8140533abb7d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Sat, 27 Jun 2026 01:59:01 +0200 Subject: [PATCH 2/2] Fix changelog --- ...der-base64-fix.yml => PR#4553-pki-v2-header-base64-fix.yml} | 3 +++ 1 file changed, 3 insertions(+) rename changelog/unreleased/{pki-v2-header-base64-fix.yml => PR#4553-pki-v2-header-base64-fix.yml} (70%) diff --git a/changelog/unreleased/pki-v2-header-base64-fix.yml b/changelog/unreleased/PR#4553-pki-v2-header-base64-fix.yml similarity index 70% rename from changelog/unreleased/pki-v2-header-base64-fix.yml rename to changelog/unreleased/PR#4553-pki-v2-header-base64-fix.yml index c2d5fb449691..9e503d01e704 100644 --- a/changelog/unreleased/pki-v2-header-base64-fix.yml +++ b/changelog/unreleased/PR#4553-pki-v2-header-base64-fix.yml @@ -2,3 +2,6 @@ title: PKIAuthenticationPlugin now rejects a SolrAuthV2 header with a malformed type: fixed authors: - name: Jan Høydahl +links: + - name: PR#4553 + url: https://github.com/apache/solr/pull/4553