mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-08-25 11:43:55 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix: ASCII equal fold for authorization header (#8391)

Browse source 
For the "Authorization:" header only lowercase "token" was accepted. This change allows uppercase "Token" as well.

Signed-off-by: Nis Wechselberg <enbewe@enbewe.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8391
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Nis Wechselberg <enbewe@enbewe.de>
Co-committed-by: Nis Wechselberg <enbewe@enbewe.de>
This commit is contained in:
Nis Wechselberg 2025-07-09 23:01:03 +02:00 committed by Gusted
commit 24d6972f6b
4 changed files with 78 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

28
services/auth/oauth2_test.go
View file

@ -4,6 +4,7 @@
package auth
import (
"net/http"
"testing"
"forgejo.org/models/unittest"
@ -52,3 +53,30 @@ func TestCheckTaskIsRunning(t *testing.T) {
})
}
}
func TestParseToken(t *testing.T) {
cases := map[string]struct {
Header string
ExpectedToken string
Expected bool
}{
"Token Uppercase": {Header: "Token 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
"Token Lowercase": {Header: "token 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
"Token Unicode": {Header: "to\u212Aen 1234567890123456789012345687901325467890", ExpectedToken: "", Expected: false},
"Bearer Uppercase": {Header: "Bearer 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
"Bearer Lowercase": {Header: "bearer 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
"Missing type": {Header: "1234567890123456789012345687901325467890", ExpectedToken: "", Expected: false},
"Three Parts": {Header: "abc 1234567890 test", ExpectedToken: "", Expected: false},
}
for name := range cases {
c := cases[name]
t.Run(name, func(t *testing.T) {
req, _ := http.NewRequest("GET", "/", nil)
req.Header.Add("Authorization", c.Header)
ActualToken, ActualSuccess := parseToken(req)
assert.Equal(t, c.ExpectedToken, ActualToken)
assert.Equal(t, c.Expected, ActualSuccess)
})
}
}