MWB-806: Don't trim decoded strings from basic authentication header

e734e040 · tobias.friedrich · 7b6ad716 · e734e040 · e734e040 · e734e040
Commit e734e040 authored Dec 17, 2020 by tobias.friedrich
3 changed files
--- a/com.openexchange.server/src/com/openexchange/tools/servlet/http/Authorization.java
+++ b/com.openexchange.server/src/com/openexchange/tools/servlet/http/Authorization.java
@@ -204,10 +204,10 @@ public final class Authorization {
    private static final char UNKNOWN = '\ufffd';

    public static Credentials decode(final String auth) throws UnsupportedCharsetException {
-        final byte[] decoded = Base64.decode(auth.substring(BASIC_AUTH.length() + 1));
-        String userpass = new String(decoded, com.openexchange.java.Charsets.UTF_8).trim();
+        final byte[] decoded = Base64.decode(auth.substring(BASIC_AUTH.length() + 1).trim());
+        String userpass = new String(decoded, com.openexchange.java.Charsets.UTF_8);
        if (userpass.indexOf(UNKNOWN) >= 0) {
-            userpass = new String(decoded, com.openexchange.java.Charsets.ISO_8859_1).trim();
+            userpass = new String(decoded, com.openexchange.java.Charsets.ISO_8859_1);
        }
        final int delimiter = userpass.indexOf(':');
        String login = "";

--- a/com.openexchange.server/test/com/openexchange/i18n/tools/replacement/AuthorizationTest.java
+++ b/com.openexchange.server/test/com/openexchange/i18n/tools/replacement/AuthorizationTest.java
+/*
+ *
+ *    OPEN-XCHANGE legal information
+ *
+ *    All intellectual property rights in the Software are protected by
+ *    international copyright laws.
+ *
+ *
+ *    In some countries OX, OX Open-Xchange, open xchange and OXtender
+ *    as well as the corresponding Logos OX Open-Xchange and OX are registered
+ *    trademarks of the OX Software GmbH group of companies.
+ *    The use of the Logos is not covered by the GNU General Public License.
+ *    Instead, you are allowed to use these Logos according to the terms and
+ *    conditions of the Creative Commons License, Version 2.5, Attribution,
+ *    Non-commercial, ShareAlike, and the interpretation of the term
+ *    Non-commercial applicable to the aforementioned license is published
+ *    on the web site http://www.open-xchange.com/EN/legal/index.html.
+ *
+ *    Please make sure that third-party modules and libraries are used
+ *    according to their respective licenses.
+ *
+ *    Any modifications to this package must retain all copyright notices
+ *    of the original copyright holder(s) for the original code used.
+ *
+ *    After any such modifications, the original and derivative code shall remain
+ *    under the copyright of the copyright holder(s) and/or original author(s)per
+ *    the Attribution and Assignment Agreement that can be located at
+ *    http://www.open-xchange.com/EN/developer/. The contributing author shall be
+ *    given Attribution for the derivative code and a license granting use.
+ *
+ *     Copyright (C) 2016-2020 OX Software GmbH
+ *     Mail: info@open-xchange.com
+ *
+ *
+ *     This program is free software; you can redistribute it and/or modify it
+ *     under the terms of the GNU General Public License, Version 2 as published
+ *     by the Free Software Foundation.
+ *
+ *     This program is distributed in the hope that it will be useful, but
+ *     WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ *     or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ *     for more details.
+ *
+ *     You should have received a copy of the GNU General Public License along
+ *     with this program; if not, write to the Free Software Foundation, Inc., 59
+ *     Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ */
+
+package com.openexchange.i18n.tools.replacement;
+
+import static org.junit.Assert.assertEquals;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+import org.junit.Test;
+import com.openexchange.tools.servlet.http.Authorization;
+import com.openexchange.tools.servlet.http.Authorization.Credentials;
+
+/**
+ * {@link AuthorizationTest}
+ *
+ * @author <a href="mailto:tobias.friedrich@open-xchange.com">Tobias Friedrich</a>
+ * @since 7.10.5
+ */
+public class AuthorizationTest {
+
+    @Test
+    public final void testDecodeBasicAuth() {
+        Map<String, Credentials> headerToCredentials = new HashMap<String, Credentials>();
+        headerToCredentials.put("Basic aGFsbG86MTIz", new Credentials("hallo", "123"));
+        headerToCredentials.put("Basic MyQ1MyAgw7Z3QDIzIDJfN3ExXsKwYjpmc2VnZnNnZnNndmE=", new Credentials("3$53  \u00f6w@23 2_7q1^\u00b0b", "fsegfsgfsgva"));
+        headerToCredentials.put("Basic dXNlcjU6ZW1wdHkxIA==", new Credentials("user5", "empty1 "));
+        headerToCredentials.put("Basic dXNlcjU6IGVtcHR5Mg==", new Credentials("user5", " empty2"));
+        for (Entry<String, Credentials> entry : headerToCredentials.entrySet()) {
+            Credentials actual = Authorization.decode(entry.getKey());
+            assertEquals(entry.getValue().getLogin(), actual.getLogin());
+            assertEquals(entry.getValue().getPassword(), actual.getPassword());
+        }
+    }
+
+}
--- a/com.openexchange.server/test/com/openexchange/server/UnitTests.java
+++ b/com.openexchange.server/test/com/openexchange/server/UnitTests.java
@@ -115,7 +115,8 @@ import com.openexchange.lock.impl.AccessControlImplTest;
    com.openexchange.folderstorage.internal.performers.UserSharedFoldersPerformerTest.class,
    com.openexchange.folderstorage.database.DatabaseFolderTest.class,
    com.openexchange.config.admin.internal.HideAdminServiceImplTest.class,
-    AccessControlImplTest.class
+    AccessControlImplTest.class,
+    com.openexchange.i18n.tools.replacement.AuthorizationTest.class,
 })
 public class UnitTests {