Merge pull request #3637 from noahshaw11/remove-case-sensitivity-for-basic-auth

Remove case sensitivity for basic auth
author: iilyak <iilyak@users.noreply.github.com> 2021-07-02 04:21:01 -0700
committer: GitHub <noreply@github.com> 2021-07-02 04:21:01 -0700
commit: 9b609f4d891f11d5c3c9c324356219c8516a4177 (patch)
tree: 3b92c722f7d0e2ca185bf11c1c70d355041b9993
parent: e186808381569d82da89503e8bc3bc150b8b4e4c (diff)
parent: f8583bf590d245b1a67d26975199788db596c02f (diff)
download: couchdb-9b609f4d891f11d5c3c9c324356219c8516a4177.tar.gz
3 files changed, 63 insertions, 17 deletions
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index f0ca2d56c..fd420bbb0 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -99,24 +99,28 @@ special_test_authentication_handler(Req) ->
 basic_name_pw(Req) ->
     AuthorizationHeader = header_value(Req, "Authorization"),
     case AuthorizationHeader of
-        "Basic " ++ Base64Value ->
-            try
-                re:split(
-                    base64:decode(Base64Value),
-                    ":",
-                    [{return, list}, {parts, 2}]
-                )
-            of
-                ["_", "_"] ->
-                    % special name and pass to be logged out
-                    nil;
-                [User, Pass] ->
-                    {User, Pass};
+        Header when is_list(Header) ->
+            [Basic, Base64Value] = string:split(Header, " "),
+            case string:casefold(Basic) of
+                "basic" ->
+                    try re:split(base64:decode(Base64Value), ":",
+                                    [{return, list}, {parts, 2}]) of
+                        ["_", "_"] ->
+                            % special name and pass to be logged out
+                            nil;
+                        [User, Pass] ->
+                            {User, Pass};
+                        _ ->
+                            nil
+                    catch
+                        error:function_clause ->
+                            throw({
+                                bad_request, 
+                                "Authorization header has invalid base64 value"
+                            })
+                    end;
                 _ ->
-                    nil
-            catch
-                error:function_clause ->
-                    throw({bad_request, "Authorization header has invalid base64 value"})
+                    throw({bad_request, "Authorization header is invalid"})
             end;
         _ ->
             nil
diff --git a/test/elixir/test/config/suite.elixir b/test/elixir/test/config/suite.elixir
index 7d2fc7966..467ef2c34 100644
--- a/test/elixir/test/config/suite.elixir
+++ b/test/elixir/test/config/suite.elixir
@@ -388,6 +388,9 @@
     "Ddoc writes with admin and replication contexts",
     "Force basic login",
     "Jerry can save a document normally",
+    "Jerry with lowercase 'Basic' auth can save a document normally",
+    "Jerry with uppercase 'Basic' auth can save a document normally",
+    "Jerry with mixed case 'Basic' auth can save a document normally",
     "Non-admin user cannot save a ddoc",
     "Saving document using the wrong credentials",
     "_session API",
diff --git a/test/elixir/test/security_validation_test.exs b/test/elixir/test/security_validation_test.exs
index dddf7a7b8..cfab242b4 100644
--- a/test/elixir/test/security_validation_test.exs
+++ b/test/elixir/test/security_validation_test.exs
@@ -25,6 +25,18 @@ defmodule SecurityValidationTest do
     spike: [
       # spike:dog
       authorization: "Basic c3Bpa2U6ZG9n"
+    ],
+    jerry_lowercase_basic: [
+      # jerry:mouse with lowercase 'Basic'
+      authorization: "basic amVycnk6bW91c2U="
+    ],
+    jerry_uppercase_basic: [
+      # jerry:mouse with uppercase 'Basic'
+      authorization: "BASIC amVycnk6bW91c2U="
+    ],
+    jerry_mixed_case_basic: [
+      # jerry:mouse with mixed case 'Basic'
+      authorization: "BAsIc amVycnk6bW91c2U="
     ]
   }
 
@@ -113,6 +125,33 @@ defmodule SecurityValidationTest do
   end
 
   @tag :with_db
+  test "Jerry with lowercase 'Basic' auth can save a document normally", context do
+    headers = @auth_headers[:jerry_lowercase_basic]
+    assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == "jerry"
+
+    doc = %{_id: "testdoc1", foo: 1, author: "jerry"}
+    assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"]
+  end
+
+  @tag :with_db
+  test "Jerry with uppercase 'Basic' auth can save a document normally", context do
+    headers = @auth_headers[:jerry_uppercase_basic]
+    assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == "jerry"
+
+    doc = %{_id: "testdoc2", foo: 1, author: "jerry"}
+    assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"]
+  end
+
+  @tag :with_db
+  test "Jerry with mixed case 'Basic' auth can save a document normally", context do
+    headers = @auth_headers[:jerry_mixed_case_basic]
+    assert Couch.get("/_session", headers: headers).body["userCtx"]["name"] == "jerry"
+
+    doc = %{_id: "testdoc3", foo: 1, author: "jerry"}
+    assert Couch.post("/#{context[:db_name]}", body: doc).body["ok"]
+  end
+
+  @tag :with_db
   test "Non-admin user cannot save a ddoc", context do
     headers = @auth_headers[:jerry]
     resp = Couch.post("/#{context[:db_name]}", body: @ddoc, headers: headers)
author	iilyak <iilyak@users.noreply.github.com>	2021-07-02 04:21:01 -0700
committer	GitHub <noreply@github.com>	2021-07-02 04:21:01 -0700
commit	9b609f4d891f11d5c3c9c324356219c8516a4177 (patch)
tree	3b92c722f7d0e2ca185bf11c1c70d355041b9993
parent	e186808381569d82da89503e8bc3bc150b8b4e4c (diff)
parent	f8583bf590d245b1a67d26975199788db596c02f (diff)
download	couchdb-9b609f4d891f11d5c3c9c324356219c8516a4177.tar.gz