Skip to content

fix(flight): reject Basic credentials without a separator#942

Merged
zeroshade merged 1 commit into
apache:mainfrom
fallintoplace:fix/flight-basic-auth-credentials
Jul 15, 2026
Merged

fix(flight): reject Basic credentials without a separator#942
zeroshade merged 1 commit into
apache:mainfrom
fallintoplace:fix/flight-basic-auth-credentials

Conversation

@fallintoplace

Copy link
Copy Markdown
Contributor

Rationale for this change

A valid Base64 Basic credential without a colon decoded to a one-element slice. The streaming authentication interceptor then indexed the missing password and panicked.

What changes are included in this PR?

Use strings.Cut to split the decoded username and password, and return an Unauthenticated error when the separator is absent. Empty usernames and passwords remain validator policy.

Are these changes tested?

Yes. Regression cases cover empty input, a username without a separator, empty username/password values, and passwords containing additional colons. go test ./arrow/flight passes.

Are there any user-facing changes?

Malformed Basic credentials now return Unauthenticated instead of panicking.

@fallintoplace
fallintoplace requested a review from zeroshade as a code owner July 15, 2026 03:40
@fallintoplace
fallintoplace force-pushed the fix/flight-basic-auth-credentials branch from 5254b37 to f26e21c Compare July 15, 2026 04:09

@zeroshade zeroshade left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — verified the fix and its test coverage. Thanks!

@zeroshade
zeroshade merged commit 9a69c7a into apache:main Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants