From 36a04c1548a4c0ddee6204d36cf4d02fca335866 Mon Sep 17 00:00:00 2001
From: serassio <>
Date: Sat, 19 Mar 2005 22:41:55 +0000
Subject: [PATCH] Bug #1171: Basic authentication fails with very long logins
 or password

There was an artificial limit on the login+password to no more than 64
characters in total.

Forward port of 2.5 patch.
---
 src/auth/basic/auth_basic.cc | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/auth/basic/auth_basic.cc b/src/auth/basic/auth_basic.cc
index e454e1e8cb..f3f8b78bd5 100644
--- a/src/auth/basic/auth_basic.cc
+++ b/src/auth/basic/auth_basic.cc
@@ -1,5 +1,5 @@
 /*
- * $Id: auth_basic.cc,v 1.36 2005/01/06 13:16:39 serassio Exp $
+ * $Id: auth_basic.cc,v 1.37 2005/03/19 15:41:55 serassio Exp $
  *
  * DEBUG: section 29    Authenticator
  * AUTHOR: Duane Wessels
@@ -396,12 +396,16 @@ BasicUser::extractUsername()
      * Don't allow NL or CR in the credentials.
      * Oezguer Kesim <oec@codeblau.de>
      */
-    strtok(cleartext, "\r\n");
-
     debug(29, 9) ("authenticateBasicDecodeAuth: cleartext = '%s'\n", cleartext);
 
-    char * tempusername = xstrndup(cleartext, USER_IDENT_SZ);
-    xfree(cleartext);
+    if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
+        debug(29, 1) ("authenticateBasicDecodeAuth: bad characters in authorization header '%s'\n",
+                      httpAuthHeader);
+        xfree(cleartext);
+        return;
+    }
+
+    char * tempusername = cleartext;
     /* terminate the username string */
 
     if ((cleartext = strchr(tempusername, ':')) != NULL)
-- 
2.47.3