fix: padded base64 encoded docker auth field

base64 allows usage of new line characters and some tools use them. As a result, the length of the encoded string cannot be used to determine whether it's padded or not. This patch fixes the regression after #82148.
2025-07-26 13:07:07 +00:00 · 2019-11-27 17:26:44 +01:00 · 2019-11-27 17:26:44 +01:00 · 5bec54ed5b
commit 5bec54ed5b
parent be65a9d1b6
2 changed files with 14 additions and 2 deletions
--- a/pkg/credentialprovider/config.go
+++ b/pkg/credentialprovider/config.go
@ -287,8 +287,7 @@ func decodeDockerConfigFieldAuth(field string) (username, password string, err e

 	// StdEncoding can only decode padded string
 	// RawStdEncoding can only decode unpadded string
-	// a string is correctly padded if and only if its length is a multiple of 4
-	if (len(field) % 4) == 0 {
+	if strings.HasSuffix(strings.TrimSpace(field), "=") {
 		// decode padded data
 		decoded, err = base64.StdEncoding.DecodeString(field)
 	} else {
--- a/pkg/credentialprovider/config_test.go
+++ b/pkg/credentialprovider/config_test.go
@ -214,6 +214,13 @@ func TestDecodeDockerConfigFieldAuth(t *testing.T) {
 			password: "bar",
 		},

+		// some test as before but with new line characters
+		{
+			input:    "Zm9vOm\nJhcg==\n",
+			username: "foo",
+			password: "bar",
+		},
+
 		// standard encoding (with padding)
 		{
 			input:    base64.StdEncoding.EncodeToString([]byte("foo:bar")),
@ -241,6 +248,12 @@ func TestDecodeDockerConfigFieldAuth(t *testing.T) {
 			fail:  true,
 		},

+		// only new line characters are ignored
+		{
+			input: "Zm9vOmJhcg== ",
+			fail:  true,
+		},
+
 		// bad base64 data
 		{
 			input: "pants",