Skip Menu |

This queue is for tickets about the Mojolicious-Plugin-BasicAuth CPAN distribution.

Report information
The Basics
Id: 69455
Status: open
Priority: 0/
Queue: Mojolicious-Plugin-BasicAuth
People
Owner: Nobody in particular
Requestors: scott [...] perlcode.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 0.05
Fixed in: (no value)

History Show all quoted text
  Wed Jul 13 20:16:00 2011 scott [...] mailblock.net - Ticket created
Subject: patch for passwords with colon
Authentication fails when there is a colon in the password field due to an unbounded split. The following patch fixes this. --- lib/Mojolicious/Plugin/BasicAuth.pm~ 2011-06-02 11:00:24.000000000 -0600 +++ lib/Mojolicious/Plugin/BasicAuth.pm 2011-07-13 18:11:28.000000000 -0600 @@ -28,7 +28,7 @@ if !$auth and !$callback; # Verification within callback - return 1 if $callback and $callback->(split /:/, $auth); + return 1 if $callback and $callback->(split /:/, $auth, 2); # Verified with realm => username => password syntax return 1 if $auth eq ($username || '') . ":$password";
  Wed Jul 13 21:50:40 2011 glen [...] empireenterprises.com - Correspondence added
Subject: Re: [rt.cpan.org #69455] patch for passwords with colon
Date: Wed, 13 Jul 2011 21:50:21 -0400
To: bug-Mojolicious-Plugin-BasicAuth [...] rt.cpan.org
From: Glen <glen [...] empireenterprises.com>
Awesome! I need matching tests to allow a patch, though. Please make a pull request on github: https://github.com/tempire/mojolicious-plugin-basicauth On Wed, Jul 13, 2011 at 8:16 PM, Scott Wiersdorf via RT < bug-Mojolicious-Plugin-BasicAuth@rt.cpan.org> wrote: Show quoted text
> Wed Jul 13 20:16:00 2011: Request 69455 was acted upon. > Transaction: Ticket created by SCOTTW > Queue: Mojolicious-Plugin-BasicAuth > Subject: patch for passwords with colon > Broken in: 0.05 > Severity: Important > Owner: Nobody > Requestors: scott@perlcode.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=69455 > > > > Authentication fails when there is a colon in the password field due to an > unbounded split. The > following patch fixes this. > > --- lib/Mojolicious/Plugin/BasicAuth.pm~ 2011-06-02 > 11:00:24.000000000 -0600 > +++ lib/Mojolicious/Plugin/BasicAuth.pm 2011-07-13 18:11:28.000000000 -0600 > @@ -28,7 +28,7 @@ > if !$auth and !$callback; > > # Verification within callback > - return 1 if $callback and $callback->(split /:/, $auth); > + return 1 if $callback and $callback->(split /:/, $auth, 2); > > # Verified with realm => username => password syntax > return 1 if $auth eq ($username || '') . ":$password"; > >
  Wed Jul 13 21:50:41 2011 The RT System itself - Status changed from 'new' to 'open'
  Wed Jul 13 22:53:28 2011 scott [...] mailblock.net - Correspondence added
Full diff patch attached (I'm new to both github and mojolicious—let me know if this is correct protocol or not).
Subject: m_p_basicauth-password_colon.patch
diff --git a/lib/Mojolicious/Plugin/BasicAuth.pm b/lib/Mojolicious/Plugin/BasicAuth.pm index a92897e..00add8f 100644 --- a/lib/Mojolicious/Plugin/BasicAuth.pm +++ b/lib/Mojolicious/Plugin/BasicAuth.pm @@ -28,7 +28,7 @@ sub register { if !$auth and !$callback; # Verification within callback - return 1 if $callback and $callback->(split /:/, $auth); + return 1 if $callback and $callback->(split /:/, $auth, 2); # Verified with realm => username => password syntax return 1 if $auth eq ($username || '') . ":$password"; diff --git a/t/auth.t b/t/auth.t index 35e1cdc..bdb9892 100644 --- a/t/auth.t +++ b/t/auth.t @@ -6,7 +6,7 @@ use Mojo::ByteStream; # Make sure sockets are working plan skip_all => 'working sockets required for this test!' unless Mojo::IOLoop->new->generate_port; # Test server -plan tests => 39; +plan tests => 45; # Lite app use Mojolicious::Lite; @@ -56,6 +56,16 @@ get '/under-bridge' => sub { shift->render(text => 'authorized'); }; +under sub { + my $self = shift; + return $self->basic_auth( + realm => sub { return 1 if "@_" eq 'username passw:ord' }); +}; + +get '/under-bridge-colon' => sub { + shift->render(text => 'authorized'); +}; + # Tests my $t = Test::Mojo->new; my $encoded; @@ -92,6 +102,14 @@ chop $encoded; $t->get_ok('/under-bridge', {Authorization => "Basic $encoded"}) ->status_is(401)->content_is(''); +# Under bridge-colon fail +diag '/under-bridge-colon'; +$encoded = Mojo::ByteStream->new("username:password")->b64_encode->to_string; +chop $encoded; +$t->get_ok('/under-bridge-colon', {Authorization => "Basic $encoded"}) + ->status_is(401)->content_is(''); + + # Successes # # Username, password @@ -122,3 +140,9 @@ chop $encoded; $t->get_ok('/under-bridge', {Authorization => "Basic $encoded"}) ->status_is(200)->content_is('authorized'); +# Under bridge w/ colon +diag '/under-bridge-colon'; +$encoded = Mojo::ByteStream->new("username:passw:ord")->b64_encode->to_string; +chop $encoded; +$t->get_ok('/under-bridge-colon', {Authorization => "Basic $encoded"}) + ->status_is(200)->content_is('authorized');