fix: bad authorization format crash with 500

2022-03-22 22:55:56 +08:00 · 2022-03-22 22:55:56 +08:00 · 99dfd8504c
parent ce2e4f51ac
commit 99dfd8504c
3 changed files with 16 additions and 15 deletions
--- a/apps/emqx_management/src/emqx_management.app.src
+++ b/apps/emqx_management/src/emqx_management.app.src
@ -1,6 +1,6 @@
 {application, emqx_management,
 [{description, "EMQ X Management API and CLI"},
-  {vsn, "4.3.13"}, % strict semver, bump manually!
+  {vsn, "4.3.11"}, % strict semver, bump manually!
  {modules, []},
  {registered, [emqx_management_sup]},
  {applications, [kernel,stdlib,minirest]},
--- a/apps/emqx_management/src/emqx_mgmt_http.erl
+++ b/apps/emqx_management/src/emqx_mgmt_http.erl
@ -118,9 +118,10 @@ handle_request(_Method, _Path, Req) ->
    cowboy_req:reply(400, #{<<"content-type">> => <<"text/plain">>}, <<"Not found.">>, Req).

 authorize_appid(Req) ->
-    case cowboy_req:parse_header(<<"authorization">>, Req) of
-        {basic, AppId, AppSecret} -> emqx_mgmt_auth:is_authorized(AppId, AppSecret);
-         _  -> false
+    try
+        {basic, AppId, AppSecret} = cowboy_req:parse_header(<<"authorization">>, Req),
+        emqx_mgmt_auth:is_authorized(AppId, AppSecret)
+    catch _:_ -> false
    end.

 -ifdef(EMQX_ENTERPRISE).
--- a/lib-ce/emqx_dashboard/src/emqx_dashboard.erl
+++ b/lib-ce/emqx_dashboard/src/emqx_dashboard.erl
@ -103,17 +103,17 @@ is_authorized(Req) ->
 is_authorized("/api/v4/auth", _Req) ->
    true;
 is_authorized(_Path, Req) ->
-    case cowboy_req:parse_header(<<"authorization">>, Req) of
-        {basic, Username, Password} ->
-            case emqx_dashboard_admin:check(iolist_to_binary(Username),
-                                            iolist_to_binary(Password)) of
-                ok -> true;
-                {error, Reason} ->
-                    ?LOG(error, "[Dashboard] Authorization Failure: username=~s, reason=~p",
-                                [Username, Reason]),
-                    false
-            end;
-         _  -> false
+    try
+        {basic, Username, Password} = cowboy_req:parse_header(<<"authorization">>, Req),
+        case emqx_dashboard_admin:check(iolist_to_binary(Username), iolist_to_binary(Password)) of
+            ok -> true;
+            {error, Reason} ->
+                ?LOG(error, "[Dashboard] Authorization Failure: username=~s, reason=~p",
+                    [Username, Reason]),
+                false
+        end
+    catch _:_ -> %% bad authorization header will crash.
+        false
    end.

 filter(#{app := emqx_modules}) -> true;