BUG/MINOR: http: Authorization value can have multiple spaces after the scheme As per RFC7235, there can be multiple spaces in the value of an Authorization header, between the scheme and the actual authentication parameters. This can be backported to all stable versions since basic auth has almost always been there. (cherry picked from commit 68c4eae87f2366a9485f5d09250d7ec82d9a1b94) Signed-off-by: Willy Tarreau <w@1wt.eu>

commit: 2ad2ed46262a19b6012fe0ceb0243fe04aff9b71 [log] [tgz]
author: Remi Tricot-Le Breton <rlebreton@haproxy.com> Fri Oct 29 15:25:18 2021 +0200
committer: Willy Tarreau <w@1wt.eu> Wed Nov 03 09:17:34 2021 +0100
tree: c53cbe38b7992b7fa7ed542e9bcaf05f0fb09e20
parent: b02d5f024ee379102320e6fe514aa902d1b26a47 [diff] [blame]
diff --git a/src/http_fetch.c b/src/http_fetch.c
index 6e7ac9e..798f7f6 100644
--- a/src/http_fetch.c
+++ b/src/http_fetch.c

@@ -120,7 +120,13 @@
 	if (chunk_initlen(&auth_method, ctx.value.ptr, 0, len) != 1)
 		return 0;
 
-	chunk_initlen(&txn->auth.method_data, p + 1, 0, ctx.value.len - len - 1);
+	/* According to RFC7235, there could be multiple spaces between the
+	 * scheme and its value, we must skip all of them.
+	 */
+	while (p < istend(ctx.value) && *p == ' ')
+		++p;
+
+	chunk_initlen(&txn->auth.method_data, p, 0, istend(ctx.value) - p);
 
 	if (!strncasecmp("Basic", auth_method.area, auth_method.data)) {
 		struct buffer *http_auth = get_trash_chunk();
commit	2ad2ed46262a19b6012fe0ceb0243fe04aff9b71	[log] [tgz]
author	Remi Tricot-Le Breton <rlebreton@haproxy.com>	Fri Oct 29 15:25:18 2021 +0200
committer	Willy Tarreau <w@1wt.eu>	Wed Nov 03 09:17:34 2021 +0100
tree	c53cbe38b7992b7fa7ed542e9bcaf05f0fb09e20
parent	b02d5f024ee379102320e6fe514aa902d1b26a47 [diff] [blame]