Details
-
Bug
-
Resolution: Fixed
-
Low
-
2.3.0
-
None
-
None
Description
Parsing for the "Authorization" header is done outside the try/finally block, in StashAuthenticationFilter, but the code may throw a BadCredentialsException if the header is not valid. Since this is outside the exception handling, it results in a 500 error instead of a 401. This is particularly problematic for git hosting operations, which abort after a 500 instead of prompting for credentials like they would on a 401.