Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Basic Auth header should not be case sensitive #22736

Closed
Sigafoos opened this issue Nov 15, 2017 · 3 comments

Comments

Projects
None yet
4 participants
@Sigafoos
Copy link

commented Nov 15, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.8

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

amd64 linux

What did you do?

Although RFC 2617 section 2 seems to specify that a basic auth header should be in the format "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==", with the first letter of "basic" capitalized, this is not explicitly stated.

parseBasicAuth() requires "Basic". While this may be correct, many clients send "BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==". This was changed in Rails in 2015, for instance.

That issue incorrectly uses RFC 2617 section 1 as justification, but as section 2 does not explicitly require Basic this seems like something that should be changed in order to offer the broadest compatibility with clients.

Playground example

What did you expect to see?

With BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==, r.BasicAuth() returns "Aladdin", "open sesame", true

What did you see instead?

With BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==, r.BasicAuth() returns "", "", false

@bradfitz bradfitz changed the title Basic Auth header should not be case sensitive net/http: Basic Auth header should not be case sensitive Nov 15, 2017

@bradfitz bradfitz added this to the Go1.11 milestone Nov 15, 2017

@bradfitz

This comment has been minimized.

Copy link
Member

commented Nov 15, 2017

@flowerysong

This comment has been minimized.

Copy link

commented Nov 16, 2017

You state that rails/rails#21199 "incorrectly uses RFC 2617 section 1 as justification"; I would argue that the justification is entirely correct. RFC 2617 describes the framework of an authentication method and two specific schemes that use the framework . Since the framework definition in section 1.2 says it "uses an extensible, case-insensitive token to identify the authentication scheme", an individual scheme cannot change this and treat the token as case sensitive, nor does each defined scheme need to specify that the token is case insensitive.

@bradfitz bradfitz added the NeedsFix label May 4, 2018

@bradfitz bradfitz self-assigned this May 4, 2018

@gopherbot gopherbot removed the NeedsDecision label May 4, 2018

@gopherbot

This comment has been minimized.

Copy link

commented May 4, 2018

Change https://golang.org/cl/111516 mentions this issue: net/http: ignore case of basic auth scheme in Request.BasicAuth

@gopherbot gopherbot closed this in eed79f4 May 4, 2018

hyperledger-github pushed a commit to hyperledger/fabric-ca that referenced this issue Oct 17, 2018

[FABC-740] Update to Go 1.11.1
- fix gofmt errors
- fix goimports errors
- remove test due to
golang/go#22736

FABC-740 #done

Change-Id: Ie59c50c28424be52df5490743ab7afcf255ea4c3
Signed-off-by: Gari Singh <gari.r.singh@gmail.com>

@golang golang locked and limited conversation to collaborators May 4, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.