RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: http: Authorization value can have multiple spaces after the scheme 

As per RFC7235, there can be multiple spaces in the value of an
Authorization header, between the scheme and the actual authentication
parameters.

This can be backported to all stable versions since basic auth has almost
always been there.
This commit is contained in:
Remi Tricot-Le Breton 2021-10-29 15:25:18 +02:00 committed by Willy Tarreau
parent b0c87f1c61
commit 68c4eae87f
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/http_fetch.c
View File

@ -121,7 +121,13 @@ static int get_http_auth(struct sample *smp, struct htx *htx)
if (chunk_initlen(&auth_method, ctx.value.ptr, 0, len) != 1)
return 0;
chunk_initlen(&txn->auth.method_data, p + 1, 0, ctx.value.len - len - 1);
/* According to RFC7235, there could be multiple spaces between the
* scheme and its value, we must skip all of them.
*/
while (p < istend(ctx.value) && *p == ' ')
++p;
chunk_initlen(&txn->auth.method_data, p, 0, istend(ctx.value) - p);
if (!strncasecmp("Basic", auth_method.area, auth_method.data)) {
struct buffer *http_auth = get_trash_chunk();