Fix Basic auth validation in managed HttpListener

Author: stephentoub

src/System.Net.HttpListener/src/System/Net/Managed/HttpListenerContext.Managed.cs

@@ -5,6 +5,7 @@
 using System.ComponentModel;
 using System.Net.WebSockets;
 using System.Security.Principal;
+using System.Text;
 using System.Threading.Tasks;
 
 namespace System.Net
@@ -28,63 +29,60 @@ internal HttpListenerContext(HttpConnection connection)
         internal bool HaveError => ErrorMessage != null;
 
         internal HttpConnection Connection => _connection;
-        
+
         internal void ParseAuthentication(AuthenticationSchemes expectedSchemes)
         {
             if (expectedSchemes == AuthenticationSchemes.Anonymous)
                 return;
 
             string header = Request.Headers[HttpKnownHeaderNames.Authorization];
-            if (header == null || header.Length < 2)
+            if (string.IsNullOrEmpty(header))
                 return;
 
-            string[] authenticationData = header.Split(new char[] { ' ' }, 2);
-            if (string.Compare(authenticationData[0], AuthenticationTypes.Basic, true) == 0)
+            if (IsBasicHeader(header))
             {
-                _user = ParseBasicAuthentication(authenticationData[1]);
+                _user = ParseBasicAuthentication(header.Substring(AuthenticationTypes.Basic.Length + 1));
             }
         }
 
-        internal IPrincipal ParseBasicAuthentication(string authData)
+        internal IPrincipal ParseBasicAuthentication(string authData) =>
+            TryParseBasicAuth(authData, out HttpStatusCode errorCode, out string username, out string password) ?
+                new GenericPrincipal(new HttpListenerBasicIdentity(username, password), Array.Empty<string>()) :
+                null;
+
+        internal static bool IsBasicHeader(string header) =>
+            header.Length >= 6 &&
+            header[5] == ' ' &&
+            string.Compare(header, 0, AuthenticationTypes.Basic, 0, 5, StringComparison.OrdinalIgnoreCase) == 0;
+
+        internal static bool TryParseBasicAuth(string headerValue, out HttpStatusCode errorCode, out string username, out string password)
         {
+            errorCode = HttpStatusCode.OK;
+            username = password = null;
             try
             {
-                // Basic AUTH Data is a formatted Base64 String
-                string user = null;
-                string password = null;
-                int pos = -1;
-                string authString = Text.Encoding.Default.GetString(Convert.FromBase64String(authData));
-
-                // The format is DOMAIN\username:password
-                // Domain is optional
-
-                pos = authString.IndexOf(':');
-
-                // parse the password off the end
-                password = authString.Substring(pos + 1);
-
-                // discard the password
-                authString = authString.Substring(0, pos);
-
-                // check if there is a domain
-                pos = authString.IndexOf('\\');
-
-                if (pos > 0)
+                if (string.IsNullOrWhiteSpace(headerValue))
                 {
-                    user = authString.Substring(pos);
+                    return false;
                 }
-                else
+
+                string authString = Encoding.UTF8.GetString(Convert.FromBase64String(headerValue));
+                int colonPos = authString.IndexOf(':');
+                if (colonPos < 0)
                 {
-                    user = authString;
+                    // username must be at least 1 char
+                    errorCode = HttpStatusCode.BadRequest;
+                    return false;
                 }
 
-                HttpListenerBasicIdentity identity = new HttpListenerBasicIdentity(user, password);
-                return new GenericPrincipal(identity, new string[0]);
+                username = authString.Substring(0, colonPos);
+                password = authString.Substring(colonPos + 1);
+                return true;
             }
-            catch (Exception)
+            catch
             {
-                // Invalid auth data is swallowed silently
-                return null;
+                errorCode = HttpStatusCode.InternalServerError;
+                return false;
             }
         }
 

src/System.Net.HttpListener/src/System/Net/Managed/ListenerAsyncResult.Managed.cs

@@ -135,11 +135,22 @@ internal void Complete(HttpListenerContext context, bool synch)
                     authFailure = true;
                     context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                 }
-                else if (context.AuthenticationSchemes == AuthenticationSchemes.Basic && context.Request.Headers["Authorization"] == null)
+                else if (context.AuthenticationSchemes == AuthenticationSchemes.Basic)
                 {
-                    authFailure = true;
-                    context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
-                    context.Response.Headers["WWW-Authenticate"] = context.AuthenticationSchemes + " realm=\"" + context._listener.Realm + "\"";
+                    HttpStatusCode errorCode = HttpStatusCode.Unauthorized;
+                    string authHeader = context.Request.Headers["Authorization"];
+                    if (authHeader == null ||
+                        !HttpListenerContext.IsBasicHeader(authHeader) ||
+                        authHeader.Length < AuthenticationTypes.Basic.Length + 2 ||
+                        !HttpListenerContext.TryParseBasicAuth(authHeader.Substring(AuthenticationTypes.Basic.Length + 1), out errorCode, out string _, out string __))
+                    {
+                        authFailure = true;
+                        context.Response.StatusCode = (int)errorCode;
+                        if (errorCode == HttpStatusCode.Unauthorized)
+                        {
+                            context.Response.Headers["WWW-Authenticate"] = context.AuthenticationSchemes + " realm=\"" + context._listener.Realm + "\"";
+                        }
+                    }
                 }
 
                 if (authFailure)

src/System.Net.HttpListener/tests/AuthenticationTests.cs

@@ -57,7 +57,7 @@ public async Task BasicAuthentication_ValidUsernameAndPassword_Success(Authentic
         }
 
         [ActiveIssue(19967, TargetFrameworkMonikers.NetFramework)]
-        [ConditionalTheory(nameof(Helpers) + "." + nameof(Helpers.IsWindowsImplementation))] // [ActiveIssue(20099, TestPlatforms.Unix)]
+        [ConditionalTheory(nameof(PlatformDetection) + "." + nameof(PlatformDetection.IsNotOneCoreUAP))]
         [MemberData(nameof(BasicAuthenticationHeader_TestData))]
         public async Task BasicAuthentication_InvalidRequest_SendsStatusCodeClient(string header, HttpStatusCode statusCode)
         {
@@ -124,6 +124,18 @@ public async Task TestBasicAuthenticationWithDelegate()
             await ValidateValidUser();
         }
 
+        [ConditionalTheory(nameof(PlatformDetection) + "." + nameof(PlatformDetection.IsNotOneCoreUAP))]
+        [InlineData("somename:somepassword", "somename", "somepassword")]
+        [InlineData("somename:", "somename", "")]
+        [InlineData(":somepassword", "", "somepassword")]
+        [InlineData("somedomain\\somename:somepassword", "somedomain\\somename", "somepassword")]
+        [InlineData("\\somename:somepassword", "\\somename", "somepassword")]
+        public async Task TestBasicAuthenticationWithValidAuthStrings(string authString, string expectedName, string expectedPassword)
+        {
+            _listener.AuthenticationSchemes = AuthenticationSchemes.Basic;
+            await ValidateValidUser(authString, expectedName, expectedPassword);
+        }
+
         [ConditionalFact(nameof(PlatformDetection) + "." + nameof(PlatformDetection.IsNotOneCoreUAP))]
         public async Task TestAnonymousAuthenticationWithDelegate()
         {
@@ -409,21 +421,27 @@ private async Task ValidateNullUser()
             }
         }
 
-        private async Task ValidateValidUser()
+        private Task ValidateValidUser() =>
+            ValidateValidUser(string.Format("{0}:{1}", TestUser, TestPassword), TestUser, TestPassword);
+
+        private async Task ValidateValidUser(string authHeader, string expectedUsername, string expectedPassword)
         {
             Task<HttpListenerContext> serverContextTask = _listener.GetContextAsync();
             using (HttpClient client = new HttpClient())
             {
                 client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(
                     Basic,
-                    Convert.ToBase64String(Encoding.ASCII.GetBytes(string.Format("{0}:{1}", TestUser, TestPassword))));
+                    Convert.ToBase64String(Encoding.ASCII.GetBytes(authHeader)));
 
-                Task<string> clientTask = client.GetStringAsync(_factory.ListeningUrl);
+                Task <string> clientTask = client.GetStringAsync(_factory.ListeningUrl);
                 HttpListenerContext listenerContext = await serverContextTask;
 
-                Assert.Equal(TestUser, listenerContext.User.Identity.Name);
-                Assert.True(listenerContext.User.Identity.IsAuthenticated);
+                Assert.Equal(expectedUsername, listenerContext.User.Identity.Name);
+                Assert.Equal(!string.IsNullOrEmpty(expectedUsername), listenerContext.User.Identity.IsAuthenticated);
                 Assert.Equal(Basic, listenerContext.User.Identity.AuthenticationType);
+
+                HttpListenerBasicIdentity id = Assert.IsType<HttpListenerBasicIdentity>(listenerContext.User.Identity);
+                Assert.Equal(expectedPassword, id.Password);
             }
         }