From a57b2c1c0805abe603744948deba62690f42c777 Mon Sep 17 00:00:00 2001 From: Gustaf Naeser Date: Tue, 7 Nov 2023 08:30:20 +0100 Subject: [PATCH] According to RFC7617 the password consists of everything following the first colon, including any colons. --- src/yaws.erl | 9 +++------ testsuite/auth_SUITE.erl | 9 +++++++++ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/yaws.erl b/src/yaws.erl index 686009fad..44d88ef9b 100644 --- a/src/yaws.erl +++ b/src/yaws.erl @@ -2948,12 +2948,9 @@ parse_auth(Orig = "Basic " ++ Auth64) -> {error, _Err} -> {undefined, undefined, Orig}; Auth -> - case string:tokens(Auth, ":") of - [User, Pass ] -> - {User, Pass, Orig}; - [User, Pass0 | Extra] -> - %% password can contain : - Pass = join_sep([Pass0 | Extra], ":"), + case string:split(Auth, ":") of + %% Password can contain colons, username cannot (RFC7617). + [User, Pass] when User /= [] -> {User, Pass, Orig}; _ -> {undefined, undefined, Orig} diff --git a/testsuite/auth_SUITE.erl b/testsuite/auth_SUITE.erl index a08363b6d..87c0ef0d9 100644 --- a/testsuite/auth_SUITE.erl +++ b/testsuite/auth_SUITE.erl @@ -53,7 +53,16 @@ end_per_testcase(_Test, _Config) -> ok. %%==================================================================== +check_auth_parsing(User, Password) -> + {_, Auth} = auth_header(User, Password), + ?assertMatch({User, Password, Auth}, yaws:parse_auth(Auth)). + basic_auth(Config) -> + check_auth_parsing("foo", ""), + check_auth_parsing("foo", ":"), + check_auth_parsing("foo", "bar"), + check_auth_parsing("foo", "::bar:::frob::::"), + Port = testsuite:get_yaws_port(1, Config), Url = testsuite:make_url(http, "127.0.0.1", Port, "/test1/a.txt"), Auth1 = auth_header("foo", "baz"),