Permalink
Browse files

Ensure that the basic auth middleware correctly parses passwords cont…

…aining `:`.

According to section 2 of RFC 2617, a password may contain any token, including
`:`.
  • Loading branch information...
1 parent 088d867 commit a580a9d771a7429975d69246de2f9c17a52fa5bd @kitcambridge kitcambridge committed Nov 2, 2012
Showing with 10 additions and 8 deletions.
  1. +6 −4 lib/middleware/basicAuth.js
  2. +4 −4 test/basicAuth.js
@@ -72,11 +72,13 @@ module.exports = function basicAuth(callback, realm) {
if (parts.length !== 2) return next(utils.error(400));
var scheme = parts[0]
- , credentials = new Buffer(parts[1], 'base64').toString().split(':')
- , user = credentials[0]
- , pass = credentials[1];
+ , credentials = new Buffer(parts[1], 'base64').toString()
+ , index = credentials.indexOf(':');
- if ('Basic' != scheme) return next(utils.error(400));
+ if ('Basic' != scheme || index < 0) return next(utils.error(400));
+
+ var user = credentials.slice(0, index)
+ , pass = credentials.slice(index + 1);
// async
if (callback.length >= 3) {
View
@@ -19,7 +19,7 @@ function test(app, signature) {
it('should next()', function(done){
app.request()
.get('/')
- .set('Authorization', 'Basic dGo6dG9iaQ==')
+ .set('Authorization', 'Basic dGo6dG9iaTpsZWFybmJvb3N0')
.end(function(res){
res.statusCode.should.equal(200);
res.body.should.equal('secret!');
@@ -72,7 +72,7 @@ function test(app, signature) {
var app = connect();
-app.use(connect.basicAuth('tj', 'tobi'));
+app.use(connect.basicAuth('tj', 'tobi:learnboost'));
app.use(function(req, res, next){
req.user.should.equal('tj');
@@ -86,7 +86,7 @@ test(app, 'connect.basicAuth(user, pass)');
var app = connect();
app.use(connect.basicAuth(function(user, pass){
- return 'tj' == user && 'tobi' == pass;
+ return 'tj' == user && 'tobi:learnboost' == pass;
}));
app.use(function(req, res, next){
@@ -101,7 +101,7 @@ test(app, 'connect.basicAuth(callback)');
var app = connect();
app.use(connect.basicAuth(function(user, pass, fn){
- var ok = 'tj' == user && 'tobi' == pass;
+ var ok = 'tj' == user && 'tobi:learnboost' == pass;
fn(null, ok
? { name: 'tj' }
: null);

0 comments on commit a580a9d

Please sign in to comment.