From 27edc1aa19afb043a497a7dc628afa420cb1de55 Mon Sep 17 00:00:00 2001 From: silverwind Date: Fri, 18 Dec 2020 02:51:28 +0100 Subject: [PATCH] Fix panic in BasicAuthDecode (#14046) * Fix panic in BasicAuthDecode If the string does not contain ":" that function would run into an `index out of range [1] with length 1` error. prevent that. * Update BasicAuthDecode() Co-authored-by: 6543 <6543@obermui.de> --- modules/base/tool.go | 6 ++++++ modules/base/tool_test.go | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/modules/base/tool.go b/modules/base/tool.go index 2cc09fb25d..00b13f76c7 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -10,6 +10,7 @@ import ( "crypto/sha256" "encoding/base64" "encoding/hex" + "errors" "fmt" "net/http" "os" @@ -63,6 +64,11 @@ func BasicAuthDecode(encoded string) (string, string, error) { } auth := strings.SplitN(string(s), ":", 2) + + if len(auth) != 2 { + return "", "", errors.New("invalid basic authentication") + } + return auth[0], auth[1], nil } diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go index 0c5bd66579..0b708dafdb 100644 --- a/modules/base/tool_test.go +++ b/modules/base/tool_test.go @@ -43,6 +43,12 @@ func TestBasicAuthDecode(t *testing.T) { assert.NoError(t, err) assert.Equal(t, "foo", user) assert.Equal(t, "bar", pass) + + _, _, err = BasicAuthDecode("aW52YWxpZA==") + assert.Error(t, err) + + _, _, err = BasicAuthDecode("invalid") + assert.Error(t, err) } func TestBasicAuthEncode(t *testing.T) {