matrix-org/synapse

M_UNAUTHORIZED if 'Authorization' header value contains optional whitespace for federation requests (SYN-437)

Open

#1350 opened on Jul 14, 2015

View on GitHub
 (5 comments) (0 reactions) (0 assignees)Python (11,713 stars) (2,196 forks)batch import
A-Spec-ComplianceO-UncommonS-TolerableT-Defectgood first issue

Description

It's a little unclear from the spec, but I believe the intention is that the federation Authorization header is supposed to follow RFC7235 format. To quote:

 Authorization = credentials

  credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param )
    *( OWS "," [ OWS auth-param ] ) ] ) ]

The OWS parts in there suggest that "optional whitespace" is allowed between comma-separated auth-param components.

However, while synapse is happy with

Authorization: X-Matrix origin="localhost:33515",key="ed25519:1",sig="hNMLqNd1T+JUVc53JxpRUtV8uTeAFiz/H8ewf5BffPz4Pem3EiIOq7L06B3fNHmWrW+ZVBkdG1tGEU9Fyl+lAA"

it breaks with

Authorization: X-Matrix origin="localhost:48078", key="ed25519:1", sig="24xkXS8iJE9dCdU5j0GRym4eps+vzUYvYaPosjdjU/G2etNQGVc1erInpmjJJHlJoJu1GDb8H3JzXQga47oADg"

In the latter case, the resulting error message is:

400 Bad Request
{"errcode":"M_UNAUTHORIZED","error":"Malformed Authorization header"}

(Imported from https://matrix.org/jira/browse/SYN-437)

(Reported by @leonerd)

Contributor guide

Tech stack
python
Domain
backend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
familiarity with HTTP Authorization headersbasic Pythonunderstanding of federation concept
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
50
Research direction
Examine the federation authorization header parsing code in the Synapse repository, likely in the HTTP handler or federation module. The issue points out that optional whitespace (OWS) between auth params is not accepted, contrary to RFC7235. Look for the function that validates the Authorization header (e.g., in synapse/http/federation.py or similar). The fix likely involves allowing OWS after commas in the credentials, possibly by adjusting a regular expression or parsing logic. Test with the provided malformed header to ensure the error M UNAUTHORIZED is resolved.