From 68c4eae87f2366a9485f5d09250d7ec82d9a1b94 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Fri, 29 Oct 2021 15:25:18 +0200 Subject: [PATCH] BUG/MINOR: http: Authorization value can have multiple spaces after the scheme As per RFC7235, there can be multiple spaces in the value of an Authorization header, between the scheme and the actual authentication parameters. This can be backported to all stable versions since basic auth has almost always been there. --- src/http_fetch.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/http_fetch.c b/src/http_fetch.c index 0d78fa54a..24405747a 100644 --- a/src/http_fetch.c +++ b/src/http_fetch.c @@ -121,7 +121,13 @@ static int get_http_auth(struct sample *smp, struct htx *htx) if (chunk_initlen(&auth_method, ctx.value.ptr, 0, len) != 1) return 0; - chunk_initlen(&txn->auth.method_data, p + 1, 0, ctx.value.len - len - 1); + /* According to RFC7235, there could be multiple spaces between the + * scheme and its value, we must skip all of them. + */ + while (p < istend(ctx.value) && *p == ' ') + ++p; + + chunk_initlen(&txn->auth.method_data, p, 0, istend(ctx.value) - p); if (!strncasecmp("Basic", auth_method.area, auth_method.data)) { struct buffer *http_auth = get_trash_chunk();