Closed incfly closed 2 years ago
/cc @vikaschoudhary16
@incfly: GitHub didn't allow me to request PR reviews from the following users: vikaschoudhary16.
Note that only istio-ecosystem members and repo collaborators can review this PR, and authors cannot review their own PRs.
Accommodating just one character, /
, will not help for very long I think. As we discussed offline, in my case it was the client(browser) which is passing code in the decoded form. my authz code was having %2f
in encoded form which in decoded form is /
. Is not it possible that there is some other combination of letters in encoded form which when decode is some other key than the /
.
Instead of handling /
individually, can we determine if the code is encoded or decode by checking presence of reserved keys and if already decoded, skip decoding.
Accommodating just one character, /, will not help for very long I think.
There's actually only a few char to be considred. /
, :
=
etc. The =
would not be considered valid. Also in other identity provider, the issue does not occur, say Auth0. I think it's fine to be conservative and keep track of what characters we allow explicitly. i.e. only add chars when we encounter one.
Accommodating just one character, /, will not help for very long I think.
There's actually only a few char to be considred.
/
,:
=
etc. The=
would not be considered valid. Also in other identity provider, the issue does not occur, say Auth0. I think it's fine to be conservative and keep track of what characters we allow explicitly. i.e. only add chars when we encounter one.
sounds good!
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: incfly, Shikugawa
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Signed-off-by: Jianfei Hu hujianfei258@gmail.com
Fix https://github.com/istio-ecosystem/authservice/issues/205