BUG/MINOR: http: Authorization value can have multiple spaces after the scheme

As per RFC7235, there can be multiple spaces in the value of an
Authorization header, between the scheme and the actual authentication
parameters.

This can be backported to all stable versions since basic auth has almost
always been there.

diff --git a/src/http_fetch.c b/src/http_fetch.c
index 0d78fa54ac8750299a3ba3cadb78dfe04f72af70..24405747ad12a36c442fbb0f6f4fe2b584fb0916 100644 (file)
--- a/src/http_fetch.c
+++ b/src/http_fetch.c
@@ -121,7 +121,13 @@ static int get_http_auth(struct sample *smp, struct htx *htx)
        if (chunk_initlen(&auth_method, ctx.value.ptr, 0, len) != 1)
                return 0;
 
-       chunk_initlen(&txn->auth.method_data, p + 1, 0, ctx.value.len - len - 1);
+       /* According to RFC7235, there could be multiple spaces between the
+        * scheme and its value, we must skip all of them.
+        */
+       while (p < istend(ctx.value) && *p == ' ')
+               ++p;
+
+       chunk_initlen(&txn->auth.method_data, p, 0, istend(ctx.value) - p);
 
        if (!strncasecmp("Basic", auth_method.area, auth_method.data)) {
                struct buffer *http_auth = get_trash_chunk();