diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f2137f0..91fdeb6d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), * Return a 404 instead of 500 when clients access media which is frozen. * Ensure the request parameters are correctly set for authenticated media client requests. +* Fixed parsing of `Authorization` headers for federated servers. ## [1.3.7] - July 30, 2024 diff --git a/util/http.go b/util/http.go index 0892f661..5bbcee27 100644 --- a/util/http.go +++ b/util/http.go @@ -58,44 +58,21 @@ func GetXMatrixAuth(headers []string) ([]XMatrixAuth, error) { paramCsv := h[len("X-Matrix "):] params := make(map[string]string) - isKey := true - keyName := "" - keyValue := "" - escape := false - for _, c := range paramCsv { - if c == ',' && isKey { - params[strings.TrimSpace(strings.ToLower(keyName))] = keyValue - keyName = "" - keyValue = "" - continue - } - if c == '=' { - isKey = false - continue + + pairs := strings.Split(paramCsv, ",") + for _, pair := range pairs { + csv := strings.SplitN(pair, "=", 2) + if len(csv) != 2 { + return nil, fmt.Errorf("invalid auth param pair: %s", pair) } - if isKey { - keyName = fmt.Sprintf("%s%s", keyName, string(c)) - } else { - if c == '\\' && !escape { - escape = true - continue - } - if c == '"' && !escape { - escape = false - if len(keyValue) > 0 { - isKey = true - } - continue - } - if escape { - escape = false - } - keyValue = fmt.Sprintf("%s%s", keyValue, string(c)) + key := strings.TrimSpace(strings.ToLower(csv[0])) + value := strings.Trim(strings.TrimSpace(csv[1]), "\"") + if _, ok := params[key]; ok { + return nil, fmt.Errorf("duplicate auth param: %s", key) } - } - if len(keyName) > 0 && isKey { - params[strings.TrimSpace(strings.ToLower(keyName))] = keyValue + + params[key] = value } sig, err := DecodeUnpaddedBase64String(params["sig"])