From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Fri, 29 Oct 2021 13:25:18 +0000 (+0200)
Subject: BUG/MINOR: http: Authorization value can have multiple spaces after the scheme
X-Git-Tag: v2.3.15~17
X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=e9edb5f;p=haproxy-2.3.git

BUG/MINOR: http: Authorization value can have multiple spaces after the scheme

As per RFC7235, there can be multiple spaces in the value of an
Authorization header, between the scheme and the actual authentication
parameters.

This can be backported to all stable versions since basic auth has almost
always been there.

(cherry picked from commit 68c4eae87f2366a9485f5d09250d7ec82d9a1b94)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 2ad2ed46262a19b6012fe0ceb0243fe04aff9b71)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
---

diff --git a/src/http_fetch.c b/src/http_fetch.c
index 04db562..ba320bc 100644
--- a/src/http_fetch.c
+++ b/src/http_fetch.c
@@ -121,7 +121,13 @@ static int get_http_auth(struct sample *smp, struct htx *htx)
 	if (chunk_initlen(&auth_method, ctx.value.ptr, 0, len) != 1)
 		return 0;
 
-	chunk_initlen(&txn->auth.method_data, p + 1, 0, ctx.value.len - len - 1);
+	/* According to RFC7235, there could be multiple spaces between the
+	 * scheme and its value, we must skip all of them.
+	 */
+	while (p < istptr(ctx.value) + istlen(ctx.value) && *p == ' ')
+		++p;
+
+	chunk_initlen(&txn->auth.method_data, p, 0, istptr(ctx.value) + istlen(ctx.value) - p);
 
 	if (!strncasecmp("Basic", auth_method.area, auth_method.data)) {
 		struct buffer *http_auth = get_trash_chunk();