Closed
Description
Symfony version(s) affected
6.4.*
Description
In Symfony\Component\Security\Http\AccessToken\HeaderAccessTokenExtractor constructor is regex to check Authorization: Bearer b64token, but this regex is not fully compatible with RFC definition https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
How to reproduce
setup in security.yaml
firewalls: main: access_token: token_extractors: 'headers'
Generate Base64 token with equal mark at the end (e.g. $token = base64_encode('wrong_regexp_exmaple') )
Make a request with header Authorization: Bearer d3JvbmdfcmVnZXhwX2V4bWFwbGU=
Possible Solution
Change regex in /symfony/security-http/AccessToken/HeaderAccessTokenExtractor.php:32
'/^%s([a-zA-Z0-9\-_\+~\/\.]+)$/'
to
'/^%s([a-zA-Z0-9\-_\+~\/\.]+=*)$/'
Additional Context
No response