fix(authentication): parse base64 in strict mode

spaceone · spaceone · commit 4db2262ba2bd · 2026-05-21T01:10:34.000+02:00
diff --git a/httoop/authentication/basic.py b/httoop/authentication/basic.py
@@ -1,6 +1,6 @@
 from __future__ import annotations
 
-import base64
+import binascii
 from binascii import Error as Base64Error
 
 from httoop.exceptions import InvalidHeader
@@ -18,7 +18,9 @@ def parse(authinfo: bytes) -> dict[str, bytes]:
         #    raise InvalidHeader(_(u'Invalid base64 in basic authentication'))
 
         try:
-            username, password = base64.b64decode(authinfo.strip()).split(b':')
+            username, password = binascii.a2b_base64(authinfo.strip(), strict_mode=True).split(b':', 1)
+            if not username:
+                raise ValueError()
         except Base64Error:
             raise InvalidHeader(_('Basic authentication contains invalid base64'))
         except ValueError:
@@ -37,7 +39,7 @@ def compose(authinfo: ByteUnicodeDict) -> bytes:
         password = authinfo['password']
         # username = username.encode('ISO8859-1')
         # password = password.encode('ISO8859-1')
-        return base64.b64encode(b'%s:%s' % (username, password))
+        return binascii.b2a_base64(b'%s:%s' % (username, password), newline=False)
 
 
 class BasicAuthResponseScheme:
diff --git a/httoop/header/element.py b/httoop/header/element.py
@@ -242,9 +242,9 @@ def encode_rfc2047(cls, value: str) -> bytes:
             try:
                 value.encode('ISO8859-1')
             except UnicodeEncodeError:
-                return b'=?utf-8?b?%s?=' % (b2a_base64(value.encode('utf-8')).rstrip(b'\n'),)
+                return b'=?utf-8?b?%s?=' % (b2a_base64(value.encode('utf-8'), newline=False).rstrip(b'\n'),)
             else:  # pragma: no cover
-                return b'=?ISO8859-1?b?%s?=' % (b2a_base64(value.encode('ISO8859-1')).rstrip(b'\n'),)
+                return b'=?ISO8859-1?b?%s?=' % (b2a_base64(value.encode('ISO8859-1'), newline=False).rstrip(b'\n'),)
 
     def __repr__(self) -> str:
         params = f', {self.params!r}' if self.params else ''
diff --git a/tests/authentication/test_basic.py b/tests/authentication/test_basic.py
@@ -1,3 +1,4 @@
+import base64
 import pytest
 
 from httoop.exceptions import InvalidHeader
@@ -27,7 +28,28 @@ def test_basic_authorization(headers):
     assert elem.password == 'test'
 
 
-@pytest.mark.parametrize('invalid', [b'foo', b'Zm9v', 'föo'.encode('latin1')])
+@pytest.mark.parametrize('invalid,username,password', [
+    (base64.b64encode(b'username:pass:word'), b'username', b'pass:word'),
+    (base64.b64encode(b'username:'), b'username', b''),
+    (base64.b64encode(b'user\nname:password'), b'user\nname', b'password'),
+    (base64.b64encode(b'username:pass\nword'), b'username', b'pass\nword'),
+    # TODO: different encodings
+])
+def test_valid_headers(headers, invalid, username, password):
+    headers.parse(b'Authorization: Basic %s' % (invalid,))
+    elem = headers.element('Authorization')
+    assert elem.params['username'] == username
+    assert elem.params['password'] == password
+    headers.clear()
+
+
+@pytest.mark.parametrize('invalid', [
+    b'foo',
+    b'Zm9v',
+    'föo'.encode('latin1'),
+    base64.b64encode(b':password'),
+    base64.b64encode(b'username:password')+b'"$"_'
+])
 def test_invalid_headers(headers, invalid):
     headers.parse(b'Authorization: Basic %s' % (invalid,))
     with pytest.raises(InvalidHeader):
