diff options
| author | silverwind <me@silverwind.io> | 2020-12-18 02:51:28 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-12-17 20:51:28 -0500 |
| commit | 27edc1aa19afb043a497a7dc628afa420cb1de55 (patch) | |
| tree | 620ac8b6ab3b181da86efbbe1d459cf66ab0a954 | |
| parent | e9cc613c245fa15cc8d8e3e3e98573a212c73aa4 (diff) | |
| download | gitea-27edc1aa19afb043a497a7dc628afa420cb1de55.tar.gz gitea-27edc1aa19afb043a497a7dc628afa420cb1de55.zip | |
Fix panic in BasicAuthDecode (#14046)
* Fix panic in BasicAuthDecode
If the string does not contain ":" that function would run into an
`index out of range [1] with length 1` error. prevent that.
* Update BasicAuthDecode()
Co-authored-by: 6543 <6543@obermui.de>
| -rw-r--r-- | modules/base/tool.go | 6 | ||||
| -rw-r--r-- | modules/base/tool_test.go | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/modules/base/tool.go b/modules/base/tool.go index 2cc09fb25d..00b13f76c7 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -10,6 +10,7 @@ import ( "crypto/sha256" "encoding/base64" "encoding/hex" + "errors" "fmt" "net/http" "os" @@ -63,6 +64,11 @@ func BasicAuthDecode(encoded string) (string, string, error) { } auth := strings.SplitN(string(s), ":", 2) + + if len(auth) != 2 { + return "", "", errors.New("invalid basic authentication") + } + return auth[0], auth[1], nil } diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go index 0c5bd66579..0b708dafdb 100644 --- a/modules/base/tool_test.go +++ b/modules/base/tool_test.go @@ -43,6 +43,12 @@ func TestBasicAuthDecode(t *testing.T) { assert.NoError(t, err) assert.Equal(t, "foo", user) assert.Equal(t, "bar", pass) + + _, _, err = BasicAuthDecode("aW52YWxpZA==") + assert.Error(t, err) + + _, _, err = BasicAuthDecode("invalid") + assert.Error(t, err) } func TestBasicAuthEncode(t *testing.T) { |