Commit 99f08b6
committed
fix: reject stray trailing token after a valid auth-param in AuthChallengeParser
A WWW-Authenticate / Proxy-Authenticate value of the shape `Scheme key=value <token>` — a bare token directly following a valid auth-param with no separating comma (e.g. `Bearer realm="x" garbage`) — was mishandled. The continuation loop kept the param list open only while the next non-whitespace character was a comma, so on hitting the stray token it broke out and left the cursor parked on it. The top-level loop then read that token as the scheme of a phantom second challenge, so `Digest realm=value extra` parsed into two challenges (`digest` plus a bare `extra`) instead of one malformed challenge.
RFC 7235 §2.1 permits only a comma or end-of-input after an auth-param; a bare token there has no grammar production. The continuation loop now skips the malformed tail to the next top-level comma and emits the challenge with the params parsed before the garbage — consistent with the parser's existing lenient recovery, which preserves prior params.
Adds regression tests for the unquoted, quoted, and comma-separated-next-challenge variants.1 parent a385c99 commit 99f08b6
2 files changed
Lines changed: 57 additions & 1 deletion
File tree
- sdk-core/src
- main/kotlin/org/dexpace/sdk/core/auth
- test/kotlin/org/dexpace/sdk/core/auth
Lines changed: 14 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
97 | 97 | | |
98 | 98 | | |
99 | 99 | | |
100 | | - | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
| 113 | + | |
101 | 114 | | |
102 | 115 | | |
103 | 116 | | |
| |||
Lines changed: 43 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
412 | 412 | | |
413 | 413 | | |
414 | 414 | | |
| 415 | + | |
| 416 | + | |
| 417 | + | |
| 418 | + | |
| 419 | + | |
| 420 | + | |
| 421 | + | |
| 422 | + | |
| 423 | + | |
| 424 | + | |
| 425 | + | |
| 426 | + | |
| 427 | + | |
| 428 | + | |
| 429 | + | |
| 430 | + | |
| 431 | + | |
| 432 | + | |
| 433 | + | |
| 434 | + | |
| 435 | + | |
| 436 | + | |
| 437 | + | |
| 438 | + | |
| 439 | + | |
| 440 | + | |
| 441 | + | |
| 442 | + | |
| 443 | + | |
| 444 | + | |
| 445 | + | |
| 446 | + | |
| 447 | + | |
| 448 | + | |
| 449 | + | |
| 450 | + | |
| 451 | + | |
| 452 | + | |
| 453 | + | |
| 454 | + | |
| 455 | + | |
| 456 | + | |
| 457 | + | |
415 | 458 | | |
416 | 459 | | |
417 | 460 | | |
| |||
0 commit comments