From 4b392ad70af64783bf89577a858d4d6c903759c2 Mon Sep 17 00:00:00 2001 From: Kukks Date: Mon, 13 Jul 2020 08:35:13 +0200 Subject: [PATCH] fail auth on incorrect basic auth value fixes #1713 --- .../GreenField/BasicAuthenticationHandler.cs | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/BTCPayServer/Security/GreenField/BasicAuthenticationHandler.cs b/BTCPayServer/Security/GreenField/BasicAuthenticationHandler.cs index f9079fc37..ed976092f 100644 --- a/BTCPayServer/Security/GreenField/BasicAuthenticationHandler.cs +++ b/BTCPayServer/Security/GreenField/BasicAuthenticationHandler.cs @@ -39,11 +39,22 @@ namespace BTCPayServer.Security.GreenField if (authHeader == null || !authHeader.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase)) return AuthenticateResult.NoResult(); - var encodedUsernamePassword = authHeader.Split(' ', 2, StringSplitOptions.RemoveEmptyEntries)[1]?.Trim(); - var decodedUsernamePassword = - Encoding.UTF8.GetString(Convert.FromBase64String(encodedUsernamePassword)).Split(':'); - var username = decodedUsernamePassword[0]; - var password = decodedUsernamePassword[1]; + string password; + string username; + try + { + var encodedUsernamePassword = + authHeader.Split(' ', 2, StringSplitOptions.RemoveEmptyEntries)[1]?.Trim(); + var decodedUsernamePassword = + Encoding.UTF8.GetString(Convert.FromBase64String(encodedUsernamePassword)).Split(':'); + username = decodedUsernamePassword[0]; + password = decodedUsernamePassword[1]; + } + catch (Exception) + { + return AuthenticateResult.Fail( + "Basic authentication header was not in a correct format. (username:password encoded in base64)"); + } var result = await _signInManager.PasswordSignInAsync(username, password, true, true); if (!result.Succeeded)