From 66f6cf25d499b97a5a8811ca34ab72f096dd31d4 Mon Sep 17 00:00:00 2001
From: Florian Dold <florian@dold.me>
Date: Tue, 2 Mar 2021 20:03:17 +0100
Subject: fix Authorization header parsing

---
 src/backend/taler-merchant-httpd.c | 53 ++++++++++++++++++++++++++------------
 1 file changed, 37 insertions(+), 16 deletions(-)

(limited to 'src/backend/taler-merchant-httpd.c')

diff --git a/src/backend/taler-merchant-httpd.c b/src/backend/taler-merchant-httpd.c
index 0690e621..77dedaae 100644
--- a/src/backend/taler-merchant-httpd.c
+++ b/src/backend/taler-merchant-httpd.c
@@ -960,6 +960,35 @@ TMH_add_instance (struct TMH_MerchantInstance *mi)
   return ret;
 }
 
+/**
+ * Extract the token from authorization header value @a auth.
+ *
+ * @param auth pointer to authorization header value,
+ *        will be updated to point to the start of the token
+ *        or set to NULL if header value is invalid
+ */
+static void
+extract_token (const char **auth)
+{
+  const char *bearer = "Bearer ";
+  const char *tok = *auth;
+  if (0 != strncmp (tok, bearer, strlen (bearer)))
+  {
+    *auth = NULL;
+    return;
+  }
+  tok = tok + strlen (bearer);
+  while (' ' == *tok)
+    tok++;
+  if (0 != strncasecmp (tok,
+                        RFC_8959_PREFIX,
+                        strlen (RFC_8959_PREFIX)))
+  {
+    *auth = NULL;
+    return;
+  }
+  *auth = tok;
+}
 
 /**
  * A client has requested the given url using the given method
@@ -1654,23 +1683,15 @@ url_handler (void *cls,
                                         MHD_HTTP_HEADER_AUTHORIZATION);
     if (NULL != auth)
     {
-      if  (0 != strncasecmp (auth,
-                             RFC_8959_PREFIX,
-                             strlen (RFC_8959_PREFIX)))
-      {
-        /* We _only_ complain about malformed auth headers if
-           authorization was truly required (#6737). This helps
-           in case authorization was disabled in the backend
-           because some reverse proxy is already doing it, and
-           then that reverse proxy may forward malformed auth
-           headers to the backend. */
+      /* We _only_ complain about malformed auth headers if
+         authorization was truly required (#6737). This helps
+         in case authorization was disabled in the backend
+         because some reverse proxy is already doing it, and
+         then that reverse proxy may forward malformed auth
+         headers to the backend. */
+      extract_token (&auth);
+      if (NULL == auth)
         auth_malformed = true;
-        auth = NULL;
-      }
-      else
-      {
-        auth += strlen (RFC_8959_PREFIX);
-      }
     }
 
     /* Are the credentials provided OK for the default instance?
-- 
cgit v1.2.3