Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: Basic Auth header should not be case sensitive #22736

Closed
Sigafoos opened this issue Nov 15, 2017 · 3 comments
Closed

net/http: Basic Auth header should not be case sensitive #22736

Sigafoos opened this issue Nov 15, 2017 · 3 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.11

Comments

@Sigafoos
Copy link

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

1.8

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

amd64 linux

What did you do?

Although RFC 2617 section 2 seems to specify that a basic auth header should be in the format "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==", with the first letter of "basic" capitalized, this is not explicitly stated.

parseBasicAuth() requires "Basic". While this may be correct, many clients send "BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==". This was changed in Rails in 2015, for instance.

That issue incorrectly uses RFC 2617 section 1 as justification, but as section 2 does not explicitly require Basic this seems like something that should be changed in order to offer the broadest compatibility with clients.

Playground example

What did you expect to see?

With BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==, r.BasicAuth() returns "Aladdin", "open sesame", true

What did you see instead?

With BASIC QWxhZGRpbjpvcGVuIHNlc2FtZQ==, r.BasicAuth() returns "", "", false
@bradfitz bradfitz changed the title Basic Auth header should not be case sensitive net/http: Basic Auth header should not be case sensitive Nov 15, 2017
@bradfitz bradfitz added the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label Nov 15, 2017
@bradfitz bradfitz added this to the Go1.11 milestone Nov 15, 2017
@bradfitz
Copy link
Contributor

/cc @tombergan

@flowerysong
Copy link

You state that rails/rails#21199 "incorrectly uses RFC 2617 section 1 as justification"; I would argue that the justification is entirely correct. RFC 2617 describes the framework of an authentication method and two specific schemes that use the framework . Since the framework definition in section 1.2 says it "uses an extensible, case-insensitive token to identify the authentication scheme", an individual scheme cannot change this and treat the token as case sensitive, nor does each defined scheme need to specify that the token is case insensitive.

@bradfitz bradfitz added the NeedsFix The path to resolution is known, but the work has not been done. label May 4, 2018
@bradfitz bradfitz self-assigned this May 4, 2018
@gopherbot gopherbot removed the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label May 4, 2018
@gopherbot
Copy link

Change https://golang.org/cl/111516 mentions this issue: net/http: ignore case of basic auth scheme in Request.BasicAuth

ghost pushed a commit to hyperledger/fabric-ca that referenced this issue Oct 17, 2018
@mastersingh24
[FABC-740] Update to Go 1.11.1
15209a3 
- fix gofmt errors
- fix goimports errors
- remove test due to
golang/go#22736

FABC-740 #done

Change-Id: Ie59c50c28424be52df5490743ab7afcf255ea4c3
Signed-off-by: Gari Singh <gari.r.singh@gmail.com>
@golang golang locked and limited conversation to collaborators May 4, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.11
Development

No branches or pull requests
4 participants
@bradfitz @Sigafoos @flowerysong @gopherbot