On Tue, Jan 18, 2022 at 07:04:00PM +0100, Lukas Tribus wrote:
> On Mon, 17 Jan 2022 at 19:37, <[email protected]> wrote:
> >
> > Hi
> >
> > Configuration uses 'no option http-use-htx' in defaults because of case
> > insensitivity.
> > Statistics path haproxy?stats is behind simple username/password and
> > both credentials are specified in config.
> > When accessing haproxy?stats, 2.0.25 works fine, but 2.0.26 returns 401:
>
> Confirmed and filed:
> https://github.com/haproxy/haproxy/issues/1516
Thanks for the report, bisect and reproducer! The problem is an off-by-one
that was left in the function which used to skip exactly one space. The
attached patch fixes it for me.
> Bug will be fixed, but for the long term:
>
> - the legacy HTTP code is gone from newer haproxy branches, 'no option
> http-use-htx' is no more
> - in HTX mode, if you have non-compliant clients or servers, use
> h1-case-adjust to workaround those those case problems
Absolutely! It's becoming important to address such issues (or at least
to work around them if needed), because even in legacy mode the case is
chosen by clients and there's not guarantee that they will use the one
that the application expects. While browsers tend to be extremely
conservative on such things, search engines can be an entirely different
matter!
Thanks,
Willy
diff --git a/src/http_fetch.c b/src/http_fetch.c
index 1e0779ffd..d40bc1d15 100644
--- a/src/http_fetch.c
+++ b/src/http_fetch.c
@@ -166,7 +166,7 @@ static int get_http_auth(struct sample *smp, struct htx
*htx)
while (p < h + ctx.vlen && *p == ' ')
++p;
- chunk_initlen(&txn->auth.method_data, p + 1, 0, h + ctx.vlen -
p);
+ chunk_initlen(&txn->auth.method_data, p, 0, h + ctx.vlen - p);
}
if (!strncasecmp("Basic", auth_method.area, auth_method.data)) {
