From ad53f3ab68496b22794aa94f7330bafded326611 Mon Sep 17 00:00:00 2001 From: Ingo Oppermann Date: Tue, 27 Jun 2023 10:15:49 +0200 Subject: [PATCH] Fix missing unescape of basic auth username --- http/middleware/iam/iam.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/http/middleware/iam/iam.go b/http/middleware/iam/iam.go index d9621b70..447c88b4 100644 --- a/http/middleware/iam/iam.go +++ b/http/middleware/iam/iam.go @@ -36,6 +36,7 @@ import ( "errors" "fmt" "net/http" + "net/url" "path/filepath" "sort" "strings" @@ -289,6 +290,12 @@ func (m *iammiddleware) findIdentityFromBasicAuth(c echo.Context) (iamidentity.V } } + if name, err := url.QueryUnescape(username); err != nil { + return nil, ErrBadRequest + } else { + username = name + } + identity, err := m.iam.GetVerifier(username) if err != nil { m.logger.Debug().WithFields(log.Fields{