Fix panic in BasicAuthDecode (#14046)

* Fix panic in BasicAuthDecode

If the string does not contain ":" that function would run into an
`index out of range [1] with length 1` error. prevent that.

* Update BasicAuthDecode()

Co-authored-by: 6543 <6543@obermui.de>
This commit is contained in:
silverwind 2020-12-18 02:51:28 +01:00 committed by GitHub
parent e9cc613c24
commit 27edc1aa19
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 0 deletions

View file

@ -10,6 +10,7 @@ import (
"crypto/sha256" "crypto/sha256"
"encoding/base64" "encoding/base64"
"encoding/hex" "encoding/hex"
"errors"
"fmt" "fmt"
"net/http" "net/http"
"os" "os"
@ -63,6 +64,11 @@ func BasicAuthDecode(encoded string) (string, string, error) {
} }
auth := strings.SplitN(string(s), ":", 2) auth := strings.SplitN(string(s), ":", 2)
if len(auth) != 2 {
return "", "", errors.New("invalid basic authentication")
}
return auth[0], auth[1], nil return auth[0], auth[1], nil
} }

View file

@ -43,6 +43,12 @@ func TestBasicAuthDecode(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
assert.Equal(t, "foo", user) assert.Equal(t, "foo", user)
assert.Equal(t, "bar", pass) assert.Equal(t, "bar", pass)
_, _, err = BasicAuthDecode("aW52YWxpZA==")
assert.Error(t, err)
_, _, err = BasicAuthDecode("invalid")
assert.Error(t, err)
} }
func TestBasicAuthEncode(t *testing.T) { func TestBasicAuthEncode(t *testing.T) {