Be less tolerant when parsing the credencial for Basic authorization. Only spaces...

The current code accepts \v and \f as well.

The same behavior is already used in 'ap_get_basic_auth_pw()' which is mostly the same function as 'get_basic_auth()'.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1817131 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index b97d0664e9c9d92867cf154dc27e8625969ac6be..87ed8c87f4230bb431a80a432a325963350c0de5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
+     should be accepted after the authorization scheme. \t are also tolerated.
+     [Christophe Jaillet]
+  
   *) mod_http2: fixed unfair scheduling when number of active connections
      exceeded the scheduling fifo capacity. [Stefan Eissing]
 

diff --git a/modules/aaa/mod_auth_basic.c b/modules/aaa/mod_auth_basic.c
index 5b32e00620eee5121ee211fff3b553cc3f7eecd1..55ea8adf37ab3ec965a183713fedd5161353fc9f 100644 (file)
--- a/modules/aaa/mod_auth_basic.c
+++ b/modules/aaa/mod_auth_basic.c
@@ -270,7 +270,7 @@ static int get_basic_auth(request_rec *r, const char **user,
     }
 
     /* Skip leading spaces. */
-    while (apr_isspace(*auth_line)) {
+    while (*auth_line == ' ' || *auth_line == '\t') {
         auth_line++;
     }