From 0ffe2dd68fb73da3fd1d6859ebda341f0c615b51 Mon Sep 17 00:00:00 2001 From: Marc Planard Date: Wed, 1 Mar 2017 11:30:56 +0100 Subject: [PATCH 1/2] fix failed auth if password contains a colon --- lib/passport-http/strategies/basic.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/passport-http/strategies/basic.js b/lib/passport-http/strategies/basic.js index a1f251c..bcaca21 100644 --- a/lib/passport-http/strategies/basic.js +++ b/lib/passport-http/strategies/basic.js @@ -71,8 +71,9 @@ BasicStrategy.prototype.authenticate = function(req) { var parts = authorization.split(' ') if (parts.length < 2) { return this.fail(400); } - var scheme = parts[0] - , credentials = new Buffer(parts[1], 'base64').toString().split(':'); + var scheme = parts[0], credstr = new Buffer(parts[1], 'base64').toString(); + var credentials = [ credstr.substr(0, credstr.indexOf(":")), + credstr.substr(credstr.indexOf(":")+1) ]; if (!/Basic/i.test(scheme)) { return this.fail(this._challenge()); } if (credentials.length < 2) { return this.fail(400); } From dfac2acb136eda0d17eba6387a4e10e851097907 Mon Sep 17 00:00:00 2001 From: Marc Planard Date: Wed, 1 Mar 2017 11:54:29 +0100 Subject: [PATCH 2/2] fix tests --- lib/passport-http/strategies/basic.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/passport-http/strategies/basic.js b/lib/passport-http/strategies/basic.js index bcaca21..4dbc9f7 100644 --- a/lib/passport-http/strategies/basic.js +++ b/lib/passport-http/strategies/basic.js @@ -72,11 +72,10 @@ BasicStrategy.prototype.authenticate = function(req) { if (parts.length < 2) { return this.fail(400); } var scheme = parts[0], credstr = new Buffer(parts[1], 'base64').toString(); + if (credstr.indexOf(":") === -1) { return this.fail(400); } var credentials = [ credstr.substr(0, credstr.indexOf(":")), credstr.substr(credstr.indexOf(":")+1) ]; - if (!/Basic/i.test(scheme)) { return this.fail(this._challenge()); } - if (credentials.length < 2) { return this.fail(400); } var userid = credentials[0]; var password = credentials[1];