mirror of
https://github.com/golang/go
synced 2024-11-19 12:04:43 -07:00
net/http: ignore case of basic auth scheme in Request.BasicAuth
RFC 2617, Section 1.2: "It uses an extensible, case-insensitive token to identify the authentication scheme" RFC 7617, Section 2: "Note that both scheme and parameter names are matched case-insensitively." Fixes #22736 Change-Id: I825d6dbd4fef0f1c6add89f0cbdb56a03eae9443 Reviewed-on: https://go-review.googlesource.com/111516 Reviewed-by: Dmitri Shuralyov <dmitri@shuralyov.com> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
parent
73e38303f3
commit
eed79f46c2
@ -858,7 +858,8 @@ func (r *Request) BasicAuth() (username, password string, ok bool) {
|
||||
// "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" returns ("Aladdin", "open sesame", true).
|
||||
func parseBasicAuth(auth string) (username, password string, ok bool) {
|
||||
const prefix = "Basic "
|
||||
if !strings.HasPrefix(auth, prefix) {
|
||||
// Case insensitive prefix match. See Issue 22736.
|
||||
if len(auth) < len(prefix) || !strings.EqualFold(auth[:len(prefix)], prefix) {
|
||||
return
|
||||
}
|
||||
c, err := base64.StdEncoding.DecodeString(auth[len(prefix):])
|
||||
|
@ -607,6 +607,11 @@ var parseBasicAuthTests = []struct {
|
||||
ok bool
|
||||
}{
|
||||
{"Basic " + base64.StdEncoding.EncodeToString([]byte("Aladdin:open sesame")), "Aladdin", "open sesame", true},
|
||||
|
||||
// Case doesn't matter:
|
||||
{"BASIC " + base64.StdEncoding.EncodeToString([]byte("Aladdin:open sesame")), "Aladdin", "open sesame", true},
|
||||
{"basic " + base64.StdEncoding.EncodeToString([]byte("Aladdin:open sesame")), "Aladdin", "open sesame", true},
|
||||
|
||||
{"Basic " + base64.StdEncoding.EncodeToString([]byte("Aladdin:open:sesame")), "Aladdin", "open:sesame", true},
|
||||
{"Basic " + base64.StdEncoding.EncodeToString([]byte(":")), "", "", true},
|
||||
{"Basic" + base64.StdEncoding.EncodeToString([]byte("Aladdin:open sesame")), "", "", false},
|
||||
|
Loading…
Reference in New Issue
Block a user