yii2 icon indicating copy to clipboard operation
yii2 copied to clipboard
verified publisher icon yiisoft

HTTP Auth credentials parsing fails with malformed base64, causing JSON encoding errors.

Open terabytesoftw opened this issue 9 months ago • 1 comments

The getAuthCredentials() method in yii\web\Request does not validate base64-decoded data from the Authorization header, causing applications throw InvalidArgumentException: Malformed UTF-8 characters when the response is JSON encoded.

Steps to Reproduce

  1. Send a request with malformed Authorization header:

    GET /api/endpoint HTTP/1.1
Authorization: Basic foo:bar

  2. In your controller action:

    public function actionAuth(): array
{
    Yii::$app->response->format = Response::FORMAT_JSON;

    return [
        'username' => Yii::$app->request->getAuthUser(),
        'password' => Yii::$app->request->getAuthPassword(),
    ];
}

  3. Expected: Returns {"username": null, "password": null} with 200 status.

  4. Actual: Throws InvalidArgumentException: Malformed UTF-8 characters, possibly incorrectly encoded with 500 status.

terabytesoftw avatar Jul 27 '25 16:07 terabytesoftw

need to add mb_check_encoding($decoded, 'UTF-8') checker

xicond avatar Jul 27 '25 16:07 xicond