From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Fri, 29 Oct 2021 13:25:18 +0000 (+0200)
Subject: BUG/MINOR: http: Authorization value can have multiple spaces after the scheme
X-Git-Tag: v2.5-dev12~11
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=68c4eae87f2366a9485f5d09250d7ec82d9a1b94;p=haproxy-2.5.git

BUG/MINOR: http: Authorization value can have multiple spaces after the scheme

As per RFC7235, there can be multiple spaces in the value of an
Authorization header, between the scheme and the actual authentication
parameters.

This can be backported to all stable versions since basic auth has almost
always been there.
---

diff --git a/src/http_fetch.c b/src/http_fetch.c
index 0d78fa5..2440574 100644
--- a/src/http_fetch.c
+++ b/src/http_fetch.c
@@ -121,7 +121,13 @@ static int get_http_auth(struct sample *smp, struct htx *htx)
 	if (chunk_initlen(&auth_method, ctx.value.ptr, 0, len) != 1)
 		return 0;
 
-	chunk_initlen(&txn->auth.method_data, p + 1, 0, ctx.value.len - len - 1);
+	/* According to RFC7235, there could be multiple spaces between the
+	 * scheme and its value, we must skip all of them.
+	 */
+	while (p < istend(ctx.value) && *p == ' ')
+		++p;
+
+	chunk_initlen(&txn->auth.method_data, p, 0, istend(ctx.value) - p);
 
 	if (!strncasecmp("Basic", auth_method.area, auth_method.data)) {
 		struct buffer *http_auth = get_trash_chunk();