From 55d7e53d99e968e56117b31a27b391b6a5a8e182 Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Fri, 18 Dec 2020 17:19:43 +0100
Subject: [PATCH] Fix panic in BasicAuthDecode (#14046) (#14048)

* Fix panic in BasicAuthDecode

If the string does not contain ":" that function would run into an
`index out of range [1] with length 1` error. prevent that.

* Update BasicAuthDecode()

Co-authored-by: 6543 <6543@obermui.de>

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: zeripath <art27@cantab.net>
---
 modules/base/tool.go      | 6 ++++++
 modules/base/tool_test.go | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/modules/base/tool.go b/modules/base/tool.go
index a21fd9b0f4..522fd3d0fa 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -10,6 +10,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -65,6 +66,11 @@ func BasicAuthDecode(encoded string) (string, string, error) {
 	}
 
 	auth := strings.SplitN(string(s), ":", 2)
+
+	if len(auth) != 2 {
+		return "", "", errors.New("invalid basic authentication")
+	}
+
 	return auth[0], auth[1], nil
 }
 
diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go
index f765fd0db0..d2187facd7 100644
--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@@ -46,6 +46,12 @@ func TestBasicAuthDecode(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "foo", user)
 	assert.Equal(t, "bar", pass)
+
+	_, _, err = BasicAuthDecode("aW52YWxpZA==")
+	assert.Error(t, err)
+
+	_, _, err = BasicAuthDecode("invalid")
+	assert.Error(t, err)
 }
 
 func TestBasicAuthEncode(t *testing.T) {