nblumhardt
commented
8 months ago We're bringing forward 2024.2 and will schedule this fix there.
Closed nblumhardt closed 8 months ago
nblumhardt
commented
8 months ago We're bringing forward 2024.2 and will schedule this fix there.
A culture-specific string comparison bug leads to some API key tokens not being recognized when the Seq server is running in a Norwegian or Danish locale.
Affected tokens are those that have a double A in the fourth and fifth character positions:
In C#,
k.Substring(0, 4)will result in"123A", butk.StartsWith("123A")is false, because AA is a digraph usually written as Å in Danish and Norwegian orthography.The four-character API key token prefix comparison is not security-senstive, it's just a tag that can be used to identify the key, with the remaining characters forming the sensitive/secret API key proper.
The prefix is, however, used to optimize lookups for inbound previously-unseen API keys, given that storage is salted and hashed, preventing keys being looked up directly.
The bug causes the prefix lookup to fail, so keys are not found, and inbound requests end up consuming nontrivial CPU attempting to load the key each time. Attempts to re-create the key may result in duplicates, since the existing-key duplicate check relies on the same prefix lookup.