BUG/MINOR: http: Authorization value can have multiple spaces after the scheme As per RFC7235, there can be multiple spaces in the value of an Authorization header, between the scheme and the actual authentication parameters. This can be backported to all stable versions since basic auth has almost always been there.

commit: 68c4eae87f2366a9485f5d09250d7ec82d9a1b94 [log] [tgz]
author: Remi Tricot-Le Breton <rlebreton@haproxy.com> Fri Oct 29 15:25:18 2021 +0200
committer: Willy Tarreau <w@1wt.eu> Fri Oct 29 17:40:17 2021 +0200
tree: aecf9dc8cdd5def43dc5e237698a2bd8d4264dfb
parent: b0c87f1c61edbc4e4affd81d2fd02e113528cf03 [diff]
diff --git a/src/http_fetch.c b/src/http_fetch.c
index 0d78fa5..2440574 100644
--- a/src/http_fetch.c
+++ b/src/http_fetch.c

@@ -121,7 +121,13 @@
 	if (chunk_initlen(&auth_method, ctx.value.ptr, 0, len) != 1)
 		return 0;
 
-	chunk_initlen(&txn->auth.method_data, p + 1, 0, ctx.value.len - len - 1);
+	/* According to RFC7235, there could be multiple spaces between the
+	 * scheme and its value, we must skip all of them.
+	 */
+	while (p < istend(ctx.value) && *p == ' ')
+		++p;
+
+	chunk_initlen(&txn->auth.method_data, p, 0, istend(ctx.value) - p);
 
 	if (!strncasecmp("Basic", auth_method.area, auth_method.data)) {
 		struct buffer *http_auth = get_trash_chunk();
commit	68c4eae87f2366a9485f5d09250d7ec82d9a1b94	[log] [tgz]
author	Remi Tricot-Le Breton <rlebreton@haproxy.com>	Fri Oct 29 15:25:18 2021 +0200
committer	Willy Tarreau <w@1wt.eu>	Fri Oct 29 17:40:17 2021 +0200
tree	aecf9dc8cdd5def43dc5e237698a2bd8d4264dfb
parent	b0c87f1c61edbc4e4affd81d2fd02e113528cf03 [diff]