oss/forgejo
oss/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-10-05 19:30:58 +00:00
Code Wiki Activity

[v12.0/forgejo] fix: ASCII equal fold for authorization header (#8459)

Browse source 
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/8391

For the "Authorization:" header only lowercase "token" was accepted. This change allows uppercase "Token" as well.

Signed-off-by: Nis Wechselberg <enbewe@enbewe.de>
Co-authored-by: Nis Wechselberg <enbewe@enbewe.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8459
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
This commit is contained in:
forgejo-backport-action 2025-07-10 01:30:07 +02:00 committed by Gusted
parent eb543dcbdb
commit 501836df77
4 changed files with 78 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
services/auth/oauth2.go
View file

@ -17,6 +17,7 @@ import (
"forgejo.org/modules/log"
"forgejo.org/modules/setting"
"forgejo.org/modules/timeutil"
"forgejo.org/modules/util"
"forgejo.org/modules/web/middleware"
"forgejo.org/services/actions"
"forgejo.org/services/auth/source/oauth2"
@ -125,7 +126,7 @@ func parseToken(req *http.Request) (string, bool) {
// check header token
if auHead := req.Header.Get("Authorization"); auHead != "" {
auths := strings.Fields(auHead)
if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
if len(auths) == 2 && (util.ASCIIEqualFold(auths[0], "token") || util.ASCIIEqualFold(auths[0], "bearer")) {
return auths[1], true
}
}