From 5bec54ed5b6d91bd7ff220aeeabc90cae0615ced Mon Sep 17 00:00:00 2001 From: Oleg Bulatov Date: Wed, 27 Nov 2019 17:26:44 +0100 Subject: [PATCH] fix: padded base64 encoded docker auth field base64 allows usage of new line characters and some tools use them. As a result, the length of the encoded string cannot be used to determine whether it's padded or not. This patch fixes the regression after #82148. --- pkg/credentialprovider/config.go | 3 +-- pkg/credentialprovider/config_test.go | 13 +++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/pkg/credentialprovider/config.go b/pkg/credentialprovider/config.go index 8816f833e55..377383aa903 100644 --- a/pkg/credentialprovider/config.go +++ b/pkg/credentialprovider/config.go @@ -287,8 +287,7 @@ func decodeDockerConfigFieldAuth(field string) (username, password string, err e // StdEncoding can only decode padded string // RawStdEncoding can only decode unpadded string - // a string is correctly padded if and only if its length is a multiple of 4 - if (len(field) % 4) == 0 { + if strings.HasSuffix(strings.TrimSpace(field), "=") { // decode padded data decoded, err = base64.StdEncoding.DecodeString(field) } else { diff --git a/pkg/credentialprovider/config_test.go b/pkg/credentialprovider/config_test.go index edbdaa1abeb..c310dc33dce 100644 --- a/pkg/credentialprovider/config_test.go +++ b/pkg/credentialprovider/config_test.go @@ -214,6 +214,13 @@ func TestDecodeDockerConfigFieldAuth(t *testing.T) { password: "bar", }, + // some test as before but with new line characters + { + input: "Zm9vOm\nJhcg==\n", + username: "foo", + password: "bar", + }, + // standard encoding (with padding) { input: base64.StdEncoding.EncodeToString([]byte("foo:bar")), @@ -241,6 +248,12 @@ func TestDecodeDockerConfigFieldAuth(t *testing.T) { fail: true, }, + // only new line characters are ignored + { + input: "Zm9vOmJhcg== ", + fail: true, + }, + // bad base64 data { input: "pants",