Merge branch 'hotfix/29' into develop

weierophinney · weierophinney · commit ee81f2ab3ccb · 2018-04-12T16:05:26.000-05:00
Forward port #29 Conflicts: src/Adapter/Http.php test/Adapter/Http/AuthTest.php
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -51,7 +51,9 @@ All notable changes to this project will be documented in this file, in reverse
 
 ### Fixed
 
-- Nothing.
+- [#29](https://github.com/zendframework/zend-authentication/pull/29) fixes how the HTTP Auth adapter treats credentials,
+  ensuring it splits only on the first `:` character, and thus allows `:` characters
+  as part of the password segment of the credential.
 
 ## 2.5.3 - 2016-02-29
 
diff --git a/src/Adapter/Http.php b/src/Adapter/Http.php
@@ -1,10 +1,8 @@
 <?php
 /**
- * Zend Framework (http://framework.zend.com/)
- *
- * @link      http://github.com/zendframework/zf2 for the canonical source repository
- * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
- * @license   http://framework.zend.com/license/new-bsd New BSD License
+ * @see       https://github.com/zendframework/zend-authentication for the canonical source repository
+ * @copyright Copyright (c) 2012-2018 Zend Technologies USA Inc. (https://www.zend.com)
+ * @license   https://github.com/zendframework/zend-authentication/blob/master/LICENSE.md New BSD License
  */
 
 namespace Zend\Authentication\Adapter;
@@ -495,23 +493,29 @@ protected function _basicAuth($header)
         if (! ctype_print($auth)) {
             return $this->challengeClient();
         }
+
+        $pos = strpos($auth, ':');
+        if ($pos === false) {
+            return $this->challengeClient();
+        }
+        list($username, $password) = explode(':', $auth, 2);
+
         // Fix for ZF-1515: Now re-challenges on empty username or password
-        $creds = array_filter(explode(':', $auth));
-        if (count($creds) != 2) {
+        if (empty($username) || empty($password)) {
             return $this->challengeClient();
         }
 
-        $result = $this->basicResolver->resolve($creds[0], $this->realm, $creds[1]);
+        $result = $this->basicResolver->resolve($username, $this->realm, $password);
 
         if ($result instanceof Authentication\Result && $result->isValid()) {
             return $result;
         }
 
         if (! $result instanceof Authentication\Result
             && ! is_array($result)
-            && CryptUtils::compareStrings($result, $creds[1])
+            && CryptUtils::compareStrings($result, $password)
         ) {
-            $identity = ['username' => $creds[0], 'realm' => $this->realm];
+            $identity = ['username' => $username, 'realm' => $this->realm];
             return new Authentication\Result(Authentication\Result::SUCCESS, $identity);
         } elseif (is_array($result)) {
             return new Authentication\Result(Authentication\Result::SUCCESS, $result);
diff --git a/src/Adapter/Http/FileResolver.php b/src/Adapter/Http/FileResolver.php
@@ -1,10 +1,8 @@
 <?php
 /**
- * Zend Framework (http://framework.zend.com/)
- *
- * @link      http://github.com/zendframework/zf2 for the canonical source repository
- * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
- * @license   http://framework.zend.com/license/new-bsd New BSD License
+ * @see       https://github.com/zendframework/zend-authentication for the canonical source repository
+ * @copyright Copyright (c) 2005-2018 Zend Technologies USA Inc. (https://www.zend.com)
+ * @license   https://github.com/zendframework/zend-authentication/blob/master/LICENSE.md New BSD License
  */
 
 namespace Zend\Authentication\Adapter\Http;
@@ -110,7 +108,7 @@ public function resolve($username, $realm, $password = null)
 
         // No real validation is done on the contents of the password file. The
         // assumption is that we trust the administrators to keep it secure.
-        while (($line = fgetcsv($fp, 512, ':')) !== false) {
+        while (($line = fgetcsv($fp, 512, ':', '"')) !== false) {
             if ($line[0] == $username && $line[1] == $realm) {
                 $password = $line[2];
                 fclose($fp);
diff --git a/test/Adapter/Http/AuthTest.php b/test/Adapter/Http/AuthTest.php
@@ -1,10 +1,8 @@
 <?php
 /**
- * Zend Framework (http://framework.zend.com/)
- *
- * @link      http://github.com/zendframework/zf2 for the canonical source repository
- * @copyright Copyright (c) 2005-2015 Zend Technologies USA Inc. (http://www.zend.com)
- * @license   http://framework.zend.com/license/new-bsd New BSD License
+ * @see       https://github.com/zendframework/zend-authentication for the canonical source repository
+ * @copyright Copyright (c) 2012-2018 Zend Technologies USA Inc. (https://www.zend.com)
+ * @license   https://github.com/zendframework/zend-authentication/blob/master/LICENSE.md New BSD License
  */
 
 namespace ZendTest\Authentication\Adapter\Http;
@@ -15,9 +13,6 @@
 use Zend\Http\Request;
 use Zend\Http\Response;
 
-/**
- * @group      Zend_Auth
- */
 class AuthTest extends TestCase
 {
     // @codingStandardsIgnoreStart
@@ -168,6 +163,13 @@ public function testBasicAuthValidCreds()
         $this->_checkOK($data);
     }
 
+    public function testBasicAuthCanValidateCredentialsThatContainAColon()
+    {
+        // Attempt Basic Authentication with a valid username and a password that contains a colon
+        $data = $this->_doAuth('Basic ' . base64_encode('Colon:PasswordWith:Colon'), 'basic');
+        $this->_checkOK($data);
+    }
+
     public function testBasicAuthBadCreds()
     {
         // Ensure that credentials containing invalid characters are treated as
diff --git a/test/Adapter/Http/TestAsset/htbasic.1 b/test/Adapter/Http/TestAsset/htbasic.1
@@ -1,3 +1,4 @@
 Bryce:Test Realm:ThisIsNotMyPassword
 Mufasa:Test Realm:Circle Of Life
 Bad	Chars:In:Creds
+Colon:Test Realm:"PasswordWith:Colon"
