From: Christophe Jaillet <jailletc36@apache.org>
Date: Mon, 4 Dec 2017 21:54:58 +0000 (+0000)
Subject: Be less tolerant when parsing the credencial for Basic authorization. Only spaces... 
X-Git-Tag: 2.5.0-alpha2-ci-test-only~3101
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8fcc6f170adfc894b08f7f3d0348535dd215f67c;p=thirdparty%2Fapache%2Fhttpd.git

Be less tolerant when parsing the credencial for Basic authorization. Only spaces  should be accepted after the authorization scheme. \t are also tolerated.

The current code accepts \v and \f as well.

The same behavior is already used in 'ap_get_basic_auth_pw()' which is mostly the same function as 'get_basic_auth()'.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1817131 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index b97d0664e9c..87ed8c87f42 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
+     should be accepted after the authorization scheme. \t are also tolerated.
+     [Christophe Jaillet]
+  
   *) mod_http2: fixed unfair scheduling when number of active connections
      exceeded the scheduling fifo capacity. [Stefan Eissing]
 
diff --git a/modules/aaa/mod_auth_basic.c b/modules/aaa/mod_auth_basic.c
index 5b32e00620e..55ea8adf37a 100644
--- a/modules/aaa/mod_auth_basic.c
+++ b/modules/aaa/mod_auth_basic.c
@@ -270,7 +270,7 @@ static int get_basic_auth(request_rec *r, const char **user,
     }
 
     /* Skip leading spaces. */
-    while (apr_isspace(*auth_line)) {
+    while (*auth_line == ' ' || *auth_line == '\t') {
         auth_line++;
     }