According to RFC7617 the password consists of everything following

the first colon, including any colons.
erlyaws · Nov 8, 2023 · c3860c1 · c3860c1
1 parent fac28a9
commit c3860c1
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/src/yaws.erl b/src/yaws.erl
@@ -2948,12 +2948,9 @@ parse_auth(Orig = "Basic " ++ Auth64) ->
         {error, _Err} ->
             {undefined, undefined, Orig};
         Auth ->
-            case string:tokens(Auth, ":") of
-                [User, Pass ] ->
-                    {User, Pass, Orig};
-                [User, Pass0 | Extra] ->
-                    %% password can contain :
-                    Pass = join_sep([Pass0 | Extra], ":"),
+            case string:split(Auth, ":") of
+                %% Password can contain colons, username cannot (RFC7617).
+                [User, Pass] when User /= [] ->
                     {User, Pass, Orig};
                 _ ->
                     {undefined, undefined, Orig}

diff --git a/testsuite/auth_SUITE.erl b/testsuite/auth_SUITE.erl
@@ -54,6 +54,11 @@ end_per_testcase(_Test, _Config) ->
 
 %%====================================================================
 basic_auth(Config) ->
+    User0 = "foo",
+    Password0 = "::bar:::frob::::",
+    {_, Auth0} = auth_header(User0, Password0),
+    ?assertMatch({User0, Password0, Auth0}, yaws:parse_auth(Auth0)),
+
     Port  = testsuite:get_yaws_port(1, Config),
     Url   = testsuite:make_url(http, "127.0.0.1", Port, "/test1/a.txt"),
     Auth1 = auth_header("foo", "baz"),