Skip to content

HTTP: If username and is empty string (default), Authorization is still used #2590

New issue
New issue
Open
Bug
Open
HTTP: If username and is empty string (default), Authorization is still used#2590
Bug
Labels
bugIndicates an unexpected problem or unintended behaviorcomponent: bots
Milestone
 
3.4.1 Patch release
@sebix

Description

@sebix
sebix
opened on Apr 2, 2025

if http_username and http_password are set to an empty string, as it's the default with IntelMQ Manager, then the collector does send an Authorization header:

collector: Runtime configuration: parameter 'http_password' loaded with value 'HIDDEN'.
collector: Runtime configuration: parameter 'http_username' loaded with value ''.
....
os-collector: Request headers: {'User-Agent': 'python-requests/2.32.3', 'Accept-Encoding': 'gzip, deflate, br, zstd', 'Accept': '*/*', 'Connection': 'keep-alive', 'Authorization': 'Basic Og=='}.

For endpoints which evaluate the header also, if not required, this triggers a 403.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugIndicates an unexpected problem or unintended behaviorcomponent: bots

    Type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions