Fix panic in BasicAuthDecode (#14046)

* Fix panic in BasicAuthDecode

If the string does not contain ":" that function would run into an
`index out of range [1] with length 1` error. prevent that.

* Update BasicAuthDecode()

Co-authored-by: 6543 <6543@obermui.de>

diff --git a/modules/base/tool.go b/modules/base/tool.go
index 2cc09fb25d6b575308f3dad30acb85a848fd741d..00b13f76c7bbb9a385721f6d46d1170f78a2361c 100644 (file)
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -10,6 +10,7 @@ import (
        "crypto/sha256"
        "encoding/base64"
        "encoding/hex"
+       "errors"
        "fmt"
        "net/http"
        "os"
@@ -63,6 +64,11 @@ func BasicAuthDecode(encoded string) (string, string, error) {
        }
 
        auth := strings.SplitN(string(s), ":", 2)
+
+       if len(auth) != 2 {
+               return "", "", errors.New("invalid basic authentication")
+       }
+
        return auth[0], auth[1], nil
 }
 

diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go
index 0c5bd66579c42874333dfcbed8e4937da85ec464..0b708dafdb11b86bf5bb33946c94ccbf14652f8f 100644 (file)
--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@@ -43,6 +43,12 @@ func TestBasicAuthDecode(t *testing.T) {
        assert.NoError(t, err)
        assert.Equal(t, "foo", user)
        assert.Equal(t, "bar", pass)
+
+       _, _, err = BasicAuthDecode("aW52YWxpZA==")
+       assert.Error(t, err)
+
+       _, _, err = BasicAuthDecode("invalid")
+       assert.Error(t, err)
 }
 
 func TestBasicAuthEncode(t *testing.T) {