]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 73e3830)
net/http: ignore case of basic auth scheme in Request.BasicAuth
authorBrad Fitzpatrick <bradfitz@golang.org>
Fri, 4 May 2018 17:16:49 +0000 (17:16 +0000)
committerBrad Fitzpatrick <bradfitz@golang.org>
Fri, 4 May 2018 18:40:56 +0000 (18:40 +0000)
RFC 2617, Section 1.2: "It uses an extensible, case-insensitive
token to identify the authentication scheme"

RFC 7617, Section 2: "Note that both scheme and parameter names are
matched case-insensitively."

Fixes #22736

Change-Id: I825d6dbd4fef0f1c6add89f0cbdb56a03eae9443
Reviewed-on: https://go-review.googlesource.com/111516
Reviewed-by: Dmitri Shuralyov <dmitri@shuralyov.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
src/net/http/request.go patch | blob | history
src/net/http/request_test.go patch | blob | history

diff --git a/src/net/http/request.go b/src/net/http/request.go
index 1eb6d39067dae31b47c4e0b5646bfe75354db51c..997169ce69ec0bcb077e323f09808c070bbc24a3 100644 (file)
--- a/src/net/http/request.go
+++ b/src/net/http/request.go
@@ -858,7 +858,8 @@ func (r *Request) BasicAuth() (username, password string, ok bool) {
 // "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" returns ("Aladdin", "open sesame", true).
 func parseBasicAuth(auth string) (username, password string, ok bool) {
        const prefix = "Basic "
-       if !strings.HasPrefix(auth, prefix) {
+       // Case insensitive prefix match. See Issue 22736.
+       if len(auth) < len(prefix) || !strings.EqualFold(auth[:len(prefix)], prefix) {
                return
        }
        c, err := base64.StdEncoding.DecodeString(auth[len(prefix):])
diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
index aaf9d5cb9b9122b1ced4e66e857137e7bf374fe3..7a83ae5b1cef372b4bbf979320a38248f095b48d 100644 (file)
--- a/src/net/http/request_test.go
+++ b/src/net/http/request_test.go
@@ -607,6 +607,11 @@ var parseBasicAuthTests = []struct {
        ok                         bool
 }{
        {"Basic " + base64.StdEncoding.EncodeToString([]byte("Aladdin:open sesame")), "Aladdin", "open sesame", true},
+
+       // Case doesn't matter:
+       {"BASIC " + base64.StdEncoding.EncodeToString([]byte("Aladdin:open sesame")), "Aladdin", "open sesame", true},
+       {"basic " + base64.StdEncoding.EncodeToString([]byte("Aladdin:open sesame")), "Aladdin", "open sesame", true},
+
        {"Basic " + base64.StdEncoding.EncodeToString([]byte("Aladdin:open:sesame")), "Aladdin", "open:sesame", true},
        {"Basic " + base64.StdEncoding.EncodeToString([]byte(":")), "", "", true},
        {"Basic" + base64.StdEncoding.EncodeToString([]byte("Aladdin:open sesame")), "", "", false},
Go GOST TLS 1.3