From e583b38c63939e334bd85321689413cd139953c0 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 26 May 2026 08:28:33 +0200 Subject: [PATCH] BUG/MINOR: http-fetch: check against the whole token in get_http_auth() In 1.4, Basic authentication support was added by commit f9423ae43a ("[MINOR] acl: add http_auth and http_auth_group"). Interestingly, a mistake there consisted in taking the length of the comparison from the input token, so "b" matches "Basic". It was later propagated to Bearer in 2.5 with commit f5dd337b12 ("MINOR: http: Add http_auth_bearer sample fetch"). Let's just compare the entire tokens. This may be backported though it is very minor. --- src/http_fetch.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/http_fetch.c b/src/http_fetch.c index 3a7ca3c5c..718819c7f 100644 --- a/src/http_fetch.c +++ b/src/http_fetch.c @@ -135,7 +135,7 @@ static int get_http_auth(struct sample *smp, struct htx *htx) chunk_initlen(&txn->auth.method_data, p, 0, istend(ctx.value) - p); - if (!strncasecmp("Basic", auth_method.area, auth_method.data)) { + if (isteqi(ist2(auth_method.area, auth_method.data), ist("Basic"))) { struct buffer *http_auth = get_trash_chunk(); len = base64dec(txn->auth.method_data.area, @@ -159,7 +159,7 @@ static int get_http_auth(struct sample *smp, struct htx *htx) txn->auth.method = HTTP_AUTH_BASIC; return 1; - } else if (!strncasecmp("Bearer", auth_method.area, auth_method.data)) { + } else if (isteqi(ist2(auth_method.area, auth_method.data), ist("Bearer"))) { txn->auth.method = HTTP_AUTH_BEARER; return 1; }