From 27edc1aa19afb043a497a7dc628afa420cb1de55 Mon Sep 17 00:00:00 2001
From: silverwind <me@silverwind.io>
Date: Fri, 18 Dec 2020 02:51:28 +0100
Subject: [PATCH] Fix panic in BasicAuthDecode (#14046)

* Fix panic in BasicAuthDecode

If the string does not contain ":" that function would run into an
`index out of range [1] with length 1` error. prevent that.

* Update BasicAuthDecode()

Co-authored-by: 6543 <6543@obermui.de>
---
 modules/base/tool.go      | 6 ++++++
 modules/base/tool_test.go | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/modules/base/tool.go b/modules/base/tool.go
index 2cc09fb25..00b13f76c 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -10,6 +10,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -63,6 +64,11 @@ func BasicAuthDecode(encoded string) (string, string, error) {
 	}
 
 	auth := strings.SplitN(string(s), ":", 2)
+
+	if len(auth) != 2 {
+		return "", "", errors.New("invalid basic authentication")
+	}
+
 	return auth[0], auth[1], nil
 }
 
diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go
index 0c5bd6657..0b708dafd 100644
--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@@ -43,6 +43,12 @@ func TestBasicAuthDecode(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "foo", user)
 	assert.Equal(t, "bar", pass)
+
+	_, _, err = BasicAuthDecode("aW52YWxpZA==")
+	assert.Error(t, err)
+
+	_, _, err = BasicAuthDecode("invalid")
+	assert.Error(t, err)
 }
 
 func TestBasicAuthEncode(t *testing.T) {