Fix panic in BasicAuthDecode (#14046) (#14048)

* Fix panic in BasicAuthDecode

If the string does not contain ":" that function would run into an
`index out of range [1] with length 1` error. prevent that.

* Update BasicAuthDecode()

Co-authored-by: 6543 <6543@obermui.de>

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: zeripath <art27@cantab.net>
This commit is contained in:
silverwind 2020-12-18 17:19:43 +01:00 committed by GitHub
parent 96d41287e5
commit 55d7e53d99
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 0 deletions

View file

@ -10,6 +10,7 @@ import (
"crypto/sha256" "crypto/sha256"
"encoding/base64" "encoding/base64"
"encoding/hex" "encoding/hex"
"errors"
"fmt" "fmt"
"net/http" "net/http"
"net/url" "net/url"
@ -65,6 +66,11 @@ func BasicAuthDecode(encoded string) (string, string, error) {
} }
auth := strings.SplitN(string(s), ":", 2) auth := strings.SplitN(string(s), ":", 2)
if len(auth) != 2 {
return "", "", errors.New("invalid basic authentication")
}
return auth[0], auth[1], nil return auth[0], auth[1], nil
} }

View file

@ -46,6 +46,12 @@ func TestBasicAuthDecode(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
assert.Equal(t, "foo", user) assert.Equal(t, "foo", user)
assert.Equal(t, "bar", pass) assert.Equal(t, "bar", pass)
_, _, err = BasicAuthDecode("aW52YWxpZA==")
assert.Error(t, err)
_, _, err = BasicAuthDecode("invalid")
assert.Error(t, err)
} }
func TestBasicAuthEncode(t *testing.T) { func TestBasicAuthEncode(t *testing.T) {