From b705a4671f50a2e55a539d6174cb967039a4e83f Mon Sep 17 00:00:00 2001
From: "Huabing (Robin) Zhao" <zhaohuabing@gmail.com>
Date: Mon, 26 Jan 2026 12:30:07 +0800
Subject: [PATCH 1/3] fix basic auth validation

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
---
 internal/gatewayapi/securitypolicy.go      | 10 ++++++++++
 internal/gatewayapi/securitypolicy_test.go | 11 ++++++++---
 release-notes/current.yaml                 |  2 +-
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
index 2e937bee7a..bcb873fefa 100644
--- a/internal/gatewayapi/securitypolicy.go
+++ b/internal/gatewayapi/securitypolicy.go
@@ -6,6 +6,8 @@
 package gatewayapi
 
 import (
+	//nolint:gosec // SHA1 is required to validate htpasswd {SHA} format.
+	"crypto/sha1"
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
@@ -1829,6 +1831,14 @@ func validateHtpasswdFormat(data []byte) error {
 		if !strings.HasPrefix(password, "{SHA}") {
 			return fmt.Errorf("unsupported htpasswd format: please use {SHA}")
 		}
+		// Envoy BasicAuth only supports unsalted SHA1 {SHA}<base64> generated by htpasswd.
+		shaBytes, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(password, "{SHA}"))
+		if err != nil {
+			return fmt.Errorf("invalid htpasswd format: {SHA} must be base64-encoded SHA1")
+		}
+		if len(shaBytes) != sha1.Size {
+			return fmt.Errorf("invalid htpasswd format: {SHA} must be SHA1 (%d bytes)", sha1.Size)
+		}
 	}
 	return nil
 }
diff --git a/internal/gatewayapi/securitypolicy_test.go b/internal/gatewayapi/securitypolicy_test.go
index c0261c0837..7967a781f3 100644
--- a/internal/gatewayapi/securitypolicy_test.go
+++ b/internal/gatewayapi/securitypolicy_test.go
@@ -681,12 +681,12 @@ func Test_validateHtpasswdFormat(t *testing.T) {
 	}{
 		{
 			name:      "valid htpasswd with SHA format",
-			htpasswd:  "user1:{SHA}hashed_user1_password\nuser2:{SHA}hashed_user2_password",
+			htpasswd:  "user1:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=\nuser2:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=",
 			wantError: false,
 		},
 		{
 			name:      "valid htpasswd with SHA format and empty lines",
-			htpasswd:  "user1:{SHA}hashed_user1_password\n\nuser2:{SHA}hashed_user2_password\n",
+			htpasswd:  "user1:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=\n\nuser2:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=\n",
 			wantError: false,
 		},
 		{
@@ -709,9 +709,14 @@ func Test_validateHtpasswdFormat(t *testing.T) {
 			htpasswd:  "user1{SHA}hashed_user1_password",
 			wantError: true,
 		},
+		{
+			name:      "invalid htpasswd with hex sha1",
+			htpasswd:  "user1:{SHA}5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
+			wantError: true,
+		},
 		{
 			name:      "mixed valid and invalid formats",
-			htpasswd:  "user1:{SHA}hashed_user1_password\nuser2:$apr1$hashed_user2_password",
+			htpasswd:  "user1:{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=\nuser2:$apr1$hashed_user2_password",
 			wantError: true,
 		},
 	}
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
index 19d1962153..9046549dac 100644
--- a/release-notes/current.yaml
+++ b/release-notes/current.yaml
@@ -48,7 +48,7 @@ bug fixes: |
   Fixed validation of certificates in a CA bundle when some certificates are invalid.
   Fixed an issue where route match rule order is wrong when merging with empty path match.
   Fixed wrong cluster type selection when an HTTPRoute mixes Service backends with Backend (FQDN) references, ensuring STRICT_DNS clusters are generated for the FQDN targets.
-
+  Fixed SecurityPolicy BasicAuth validation to reject invalid {SHA} htpasswd entries.
 
 # Enhancements that improve performance.
 performance improvements: |

From f7f56b929d81f7d8bbf439939bb47a71a17df43b Mon Sep 17 00:00:00 2001
From: "Huabing (Robin) Zhao" <zhaohuabing@gmail.com>
Date: Sat, 31 Jan 2026 20:26:20 +0800
Subject: [PATCH 2/3] release note

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
---
 release-notes/current.yaml | 18 +-----------------
 1 file changed, 1 insertion(+), 17 deletions(-)

diff --git a/release-notes/current.yaml b/release-notes/current.yaml
index 1ed95f5bce..6d5dc7e8c8 100644
--- a/release-notes/current.yaml
+++ b/release-notes/current.yaml
@@ -10,24 +10,8 @@ security updates: |
 new features: |
 
 bug fixes: |
-  Fixed configured OIDC authorization endpoint being overridden by discovered endpoints from issuer's well-known URL.
-  Fix 500 errors caused by partially invalid BackendRefs; traffic is now correctly routed between valid backends and 500 responses according to their configured weights.
-  Fixed an issue where BackendTrafficPolicy does not validate maximum value of requestBuffer limit.
-  Fixed an issue where observedGeneration is missing from the EnvoyPatchPolicy status.
-  Fixed a nil pointer error when applying BackendTrafficPolicy to HTTPRoutes with no backendRefs.
-  Fixed ExternalTrafficPolicy not being applied to Envoy Service when ServiceType is NodePort.
-  Fixed CRL ref not processed by gateway controller.
-  Fixed an issue where HTTP/3 listeners could not handle multiple hostnames.
-  Fix gateway continuing with incomplete resources after unrecoverable Kubernetes discovery errors when checking optional CRDs by failing fast and propagating errors so pods restart instead of skipping optional CRDs.
-  Fixed an issue where listener translation fails when contains invalid certificate in multiple TLS certificateRefs.
-  Fixed an issue where auto-detect upstream protocol breaks with multiple backends(HTTP + HTTPS).
-  Fixed validation of certificates in a CA bundle when some certificates are invalid.
-  Fixed an issue where route match rule order is wrong when merging with empty path match.
-  Fixed wrong cluster type selection when an HTTPRoute mixes Service backends with Backend (FQDN) references, ensuring STRICT_DNS clusters are generated for the FQDN targets.
   Fixed SecurityPolicy BasicAuth validation to reject invalid {SHA} htpasswd entries.
-  Fixed JWT scope authorization to accept the `scp` claim in addition to `scope`.
-  Allowed single-label backend hostnames when running with the Host infrastructure, enabling Docker Compose service names for telemetry backends.
-
+  
 # Enhancements that improve performance.
 performance improvements: |
 

From eb7c2f66373baca909fd17591aae169a52b00f07 Mon Sep 17 00:00:00 2001
From: "Huabing (Robin) Zhao" <zhaohuabing@gmail.com>
Date: Sat, 31 Jan 2026 20:26:53 +0800
Subject: [PATCH 3/3] release note

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
---
 release-notes/current.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/release-notes/current.yaml b/release-notes/current.yaml
index 6d5dc7e8c8..33fa9b587f 100644
--- a/release-notes/current.yaml
+++ b/release-notes/current.yaml
@@ -11,7 +11,8 @@ new features: |
 
 bug fixes: |
   Fixed SecurityPolicy BasicAuth validation to reject invalid {SHA} htpasswd entries.
-  
+  Allowed single-label backend hostnames when running with the Host infrastructure, enabling Docker Compose service names for telemetry backends.
+
 # Enhancements that improve performance.
 performance improvements: |