aboutsummaryrefslogtreecommitdiffstats
path: root/modules/base
diff options
context:
space:
mode:
authorsilverwind <me@silverwind.io>2020-12-18 02:51:28 +0100
committerGitHub <noreply@github.com>2020-12-17 20:51:28 -0500
commit27edc1aa19afb043a497a7dc628afa420cb1de55 (patch)
tree620ac8b6ab3b181da86efbbe1d459cf66ab0a954 /modules/base
parente9cc613c245fa15cc8d8e3e3e98573a212c73aa4 (diff)
downloadgitea-27edc1aa19afb043a497a7dc628afa420cb1de55.tar.gz
gitea-27edc1aa19afb043a497a7dc628afa420cb1de55.zip
Fix panic in BasicAuthDecode (#14046)
* Fix panic in BasicAuthDecode If the string does not contain ":" that function would run into an `index out of range [1] with length 1` error. prevent that. * Update BasicAuthDecode() Co-authored-by: 6543 <6543@obermui.de>
Diffstat (limited to 'modules/base')
-rw-r--r--modules/base/tool.go6
-rw-r--r--modules/base/tool_test.go6
2 files changed, 12 insertions, 0 deletions
diff --git a/modules/base/tool.go b/modules/base/tool.go
index 2cc09fb25d..00b13f76c7 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -10,6 +10,7 @@ import (
"crypto/sha256"
"encoding/base64"
"encoding/hex"
+ "errors"
"fmt"
"net/http"
"os"
@@ -63,6 +64,11 @@ func BasicAuthDecode(encoded string) (string, string, error) {
}
auth := strings.SplitN(string(s), ":", 2)
+
+ if len(auth) != 2 {
+ return "", "", errors.New("invalid basic authentication")
+ }
+
return auth[0], auth[1], nil
}
diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go
index 0c5bd66579..0b708dafdb 100644
--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@@ -43,6 +43,12 @@ func TestBasicAuthDecode(t *testing.T) {
assert.NoError(t, err)
assert.Equal(t, "foo", user)
assert.Equal(t, "bar", pass)
+
+ _, _, err = BasicAuthDecode("aW52YWxpZA==")
+ assert.Error(t, err)
+
+ _, _, err = BasicAuthDecode("invalid")
+ assert.Error(t, err)
}
func TestBasicAuthEncode(t *testing.T) {