This is an automated email from the ASF dual-hosted git repository.

reschke pushed a commit to branch OAK-12259
in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git

commit a48c2e3e52af41877be8876db056fa2c18bdd1f8
Author: Julian Reschke <[email protected]>
AuthorDate: Fri Jun 26 18:41:19 2026 +0100

    OAK-12259: oak-http: OakServlet mis-parses HTTP Basic credentials - many 
many many tests
---
 .../oak/http/AuthorizationFieldTest.java           | 58 ++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git 
a/oak-http/src/test/java/org/apache/jackrabbit/oak/http/AuthorizationFieldTest.java
 
b/oak-http/src/test/java/org/apache/jackrabbit/oak/http/AuthorizationFieldTest.java
index e2a3ab214d..6446bafd43 100644
--- 
a/oak-http/src/test/java/org/apache/jackrabbit/oak/http/AuthorizationFieldTest.java
+++ 
b/oak-http/src/test/java/org/apache/jackrabbit/oak/http/AuthorizationFieldTest.java
@@ -69,4 +69,62 @@ public class AuthorizationFieldTest {
         // BUG: OAK-12259
         assertEquals("bar", new String(credentials.getPassword()));
     }
+
+    @Test(expected = LoginException.class) // BUG
+    public void testSchemeCase() throws LoginException {
+        String b64 = 
Base64.getEncoder().encodeToString("foo:bar".getBytes(StandardCharsets.UTF_8));
+        SimpleCredentials credentials = 
AuthorizationField.valueOf(Collections.enumeration(List.of("BaSiC " + b64)));
+        assertEquals("foo", credentials.getUserID());
+        assertEquals("bar", new String(credentials.getPassword()));
+    }
+
+    @Test
+    public void testMoreWhitespace() throws LoginException {
+        String b64 = 
Base64.getEncoder().encodeToString("foo:bar".getBytes(StandardCharsets.UTF_8));
+        SimpleCredentials credentials = 
AuthorizationField.valueOf(Collections.enumeration(List.of("Basic   " + b64)));
+        assertEquals("foo", credentials.getUserID());
+        assertEquals("bar", new String(credentials.getPassword()));
+    }
+
+    @Test // SHOULD FAIL
+    public void testNonSpWhitespace() throws LoginException {
+        String b64 = 
Base64.getEncoder().encodeToString("foo:bar".getBytes(StandardCharsets.UTF_8));
+        SimpleCredentials credentials = 
AuthorizationField.valueOf(Collections.enumeration(List.of("Basic \t " + b64)));
+        assertEquals("foo", credentials.getUserID());
+        assertEquals("bar", new String(credentials.getPassword()));
+    }
+
+    @Test // SHOULD FAIL
+    public void testBrokenBase64() throws LoginException {
+        String b64 = 
Base64.getEncoder().encodeToString("foo:bar".getBytes(StandardCharsets.UTF_8));
+        b64 = b64.substring(0,5) + " " + b64.substring(5);
+        SimpleCredentials credentials = 
AuthorizationField.valueOf(Collections.enumeration(List.of("Basic \t " + b64)));
+        assertEquals("foo", credentials.getUserID());
+        assertEquals("bar", new String(credentials.getPassword()));
+    }
+
+    @Test(expected = ArrayIndexOutOfBoundsException.class) // BUG should be 
LongException
+    public void testMoreBrokenBase64() throws LoginException {
+        String b64 = 
Base64.getEncoder().encodeToString("foo:bar".getBytes(StandardCharsets.UTF_8));
+        b64 = b64.substring(0,5) + "=" + b64.substring(5);
+        SimpleCredentials credentials = 
AuthorizationField.valueOf(Collections.enumeration(List.of("Basic " + b64)));
+        assertEquals("foo", credentials.getUserID());
+        assertEquals("bar", new String(credentials.getPassword()));
+    }
+
+    @Test
+    public void testMoreNonAscii() throws LoginException {
+        String b64 = 
Base64.getEncoder().encodeToString("test:123\u00a3".getBytes(StandardCharsets.UTF_8));
+        SimpleCredentials credentials = 
AuthorizationField.valueOf(Collections.enumeration(List.of("Basic " + b64)));
+        assertEquals("test", credentials.getUserID());
+        assertEquals("123\u00a3", new String(credentials.getPassword()));
+    }
+
+    @Test
+    public void Basic64NoPadding() throws LoginException {
+        String b64 = 
Base64.getEncoder().withoutPadding().encodeToString("foo:bar".getBytes(StandardCharsets.UTF_8));
+        SimpleCredentials credentials = 
AuthorizationField.valueOf(Collections.enumeration(List.of("Basic " + b64)));
+        assertEquals("foo", credentials.getUserID());
+        assertEquals("ba", new String(credentials.getPassword())); // SHOULD 
be "bar"
+    }
 }
\ No newline at end of file

Reply via email to