Fix panic in BasicAuthDecode (#14046) (#14048)

* Fix panic in BasicAuthDecode If the string does not contain ":" that function would run into an `index out of range [1] with length 1` error. prevent that. * Update BasicAuthDecode() Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: zeripath <art27@cantab.net>
2024-11-14 01:35:54 +01:00 · 2020-12-18 17:19:43 +01:00 · 2020-12-18 17:19:43 +01:00 · 55d7e53d99
commit 55d7e53d99
parent 96d41287e5
2 changed files with 12 additions and 0 deletions
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@ -10,6 +10,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@ -65,6 +66,11 @@ func BasicAuthDecode(encoded string) (string, string, error) {
 	}

 	auth := strings.SplitN(string(s), ":", 2)
+
+	if len(auth) != 2 {
+		return "", "", errors.New("invalid basic authentication")
+	}
+
 	return auth[0], auth[1], nil
 }

--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@ -46,6 +46,12 @@ func TestBasicAuthDecode(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "foo", user)
 	assert.Equal(t, "bar", pass)
+
+	_, _, err = BasicAuthDecode("aW52YWxpZA==")
+	assert.Error(t, err)
+
+	_, _, err = BasicAuthDecode("invalid")
+	assert.Error(t, err)
 }

 func TestBasicAuthEncode(t *testing.T) {