From: Willy Tarreau <w@1wt.eu>
Date: Tue, 26 May 2026 06:28:33 +0000 (+0200)
Subject: BUG/MINOR: http-fetch: check against the whole token in get_http_auth()
X-Git-Tag: v3.4-dev14~34
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=e583b38c63939e334bd85321689413cd139953c0;p=thirdparty%2Fhaproxy.git

BUG/MINOR: http-fetch: check against the whole token in get_http_auth()

In 1.4, Basic authentication support was added by commit f9423ae43a
("[MINOR] acl: add http_auth and http_auth_group"). Interestingly,
a mistake there consisted in taking the length of the comparison from
the input token, so "b" matches "Basic". It was later propagated to
Bearer in 2.5 with commit f5dd337b12 ("MINOR: http:
Add http_auth_bearer sample fetch"). Let's just compare the entire
tokens.

This may be backported though it is very minor.
---

diff --git a/src/http_fetch.c b/src/http_fetch.c
index 3a7ca3c5c..718819c7f 100644
--- a/src/http_fetch.c
+++ b/src/http_fetch.c
@@ -135,7 +135,7 @@ static int get_http_auth(struct sample *smp, struct htx *htx)
 
 	chunk_initlen(&txn->auth.method_data, p, 0, istend(ctx.value) - p);
 
-	if (!strncasecmp("Basic", auth_method.area, auth_method.data)) {
+	if (isteqi(ist2(auth_method.area, auth_method.data), ist("Basic"))) {
 		struct buffer *http_auth = get_trash_chunk();
 
 		len = base64dec(txn->auth.method_data.area,
@@ -159,7 +159,7 @@ static int get_http_auth(struct sample *smp, struct htx *htx)
 
 		txn->auth.method = HTTP_AUTH_BASIC;
 		return 1;
-	} else if (!strncasecmp("Bearer", auth_method.area, auth_method.data)) {
+	} else if (isteqi(ist2(auth_method.area, auth_method.data), ist("Bearer"))) {
 		txn->auth.method = HTTP_AUTH_BEARER;
 		return 1;
 	}