Be less tolerant when parsing the credencial for Basic authorization. Only spaces should be accepted after the authorization scheme. \t are also tolerated.

The current code accepts \v and \f as well. The same behavior is already used in 'ap_get_basic_auth_pw()' which is mostly the same function as 'get_basic_auth()'. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1817131 13f79535-47bb-0310-9956-ffa450edef68
2025-07-29 12:37:06 +00:00 · 2017-12-04 21:54:58 +00:00
parent 2beaed5d99
commit 8fcc6f170a
2 changed files with 5 additions and 1 deletions
--- a/4
+++ b/4
@ -1,6 +1,10 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.5.1

+  *) mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
+     should be accepted after the authorization scheme. \t are also tolerated.
+     [Christophe Jaillet]
+  
  *) mod_http2: fixed unfair scheduling when number of active connections
     exceeded the scheduling fifo capacity. [Stefan Eissing]

--- a/modules/aaa/mod_auth_basic.c
+++ b/modules/aaa/mod_auth_basic.c
@ -270,7 +270,7 @@ static int get_basic_auth(request_rec *r, const char **user,
    }

    /* Skip leading spaces. */
-    while (apr_isspace(*auth_line)) {
+    while (*auth_line == ' ' || *auth_line == '\t') {
        auth_line++;
    }