From 8fcc6f170adfc894b08f7f3d0348535dd215f67c Mon Sep 17 00:00:00 2001 From: Christophe Jaillet Date: Mon, 4 Dec 2017 21:54:58 +0000 Subject: [PATCH] Be less tolerant when parsing the credencial for Basic authorization. Only spaces should be accepted after the authorization scheme. \t are also tolerated. The current code accepts \v and \f as well. The same behavior is already used in 'ap_get_basic_auth_pw()' which is mostly the same function as 'get_basic_auth()'. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1817131 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ modules/aaa/mod_auth_basic.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index b97d0664e9c..87ed8c87f42 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.1 + *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces + should be accepted after the authorization scheme. \t are also tolerated. + [Christophe Jaillet] + *) mod_http2: fixed unfair scheduling when number of active connections exceeded the scheduling fifo capacity. [Stefan Eissing] diff --git a/modules/aaa/mod_auth_basic.c b/modules/aaa/mod_auth_basic.c index 5b32e00620e..55ea8adf37a 100644 --- a/modules/aaa/mod_auth_basic.c +++ b/modules/aaa/mod_auth_basic.c @@ -270,7 +270,7 @@ static int get_basic_auth(request_rec *r, const char **user, } /* Skip leading spaces. */ - while (apr_isspace(*auth_line)) { + while (*auth_line == ' ' || *auth_line == '\t') { auth_line++; } -- 2.47.3