Authorization header parsing is prone to issues #4739
Comments
|
I was taking a look at this. Since the comma is used to split the authorization headers, another separator character should be chosen. |
|
I don't think we can change that part. That would break all existing clients. I don't think we need to change it too, a value can be wrapped in double quotes so we should just not split on the comma inside of quotes. |
|
That makes sense. And is linked to the second point of your list "A value can't start or end with a double quote". |
|
Some quick thoughts (I think I mentioned a few in the start post):
|
|
I see. So in order to split the values by commas allowing to have commas inside the value would be something like |
|
I'd say don't use the Split function but write a parser that loops trough all characters instead. That way you can easily add escaping etc. |
Describe the bug
The current implementation of the authorization header parsing has (at least) the following issues:
<it will htmlencode themSources
jellyfin/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
Lines 243 to 284 in 7957852
jellyfin/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
Lines 286 to 290 in 7957852
Proposed changes
Fixing the XSS thingy needs changes in jellyfin-web. The others could be fixed by rewriting the header parsing and allowing some sort of encoding. This could easily be done with backwards compatibility.
Related issues
jellyfin/jellyfin-web#718
The text was updated successfully, but these errors were encountered: