Skip to content

Commit 4364e2d

Browse files
authored
Merge pull request #35 from sisk-http/codex/propose-fix-for-log-download-vulnerability
fix(monitoring): reject malformed Basic auth headers
2 parents c03c4af + 7e51249 commit 4364e2d

1 file changed

Lines changed: 7 additions & 1 deletion

File tree

extensions/Sisk.Monitoring/ApplicationMonitor.cs

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1118,7 +1118,13 @@ class AuthorizationRequestHandler ( ApplicationMonitor monitor ) : IRequestHandl
11181118
}
11191119

11201120
string encodedCredentials = authorization [ "Basic ".Length.. ];
1121-
string decodedCredentials = System.Text.Encoding.UTF8.GetString ( Convert.FromBase64String ( encodedCredentials ) );
1121+
string decodedCredentials;
1122+
try {
1123+
decodedCredentials = System.Text.Encoding.UTF8.GetString ( Convert.FromBase64String ( encodedCredentials ) );
1124+
}
1125+
catch (FormatException) {
1126+
return UnauthorizedResponse;
1127+
}
11221128

11231129
int separatorIndex = decodedCredentials.IndexOf ( ':' );
11241130
if (separatorIndex < 0) {

0 commit comments

Comments
 (0)