Merge pull request #7 from n1tr0g/master

Proper handling of a malformed/bad header data length.
goji · Jan 7, 2015 · 74459b2 · 74459b2
2 parents ad16386 + dab6fee
commit 74459b2
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/basic_auth.go b/basic_auth.go
@@ -66,17 +66,17 @@ func (b *basicAuth) authenticate(r *http.Request) bool {
 	// allowable characters in the password.
 	creds := bytes.SplitN(str, []byte(":"), 2)
 
+	if len(creds) != 2 {
+		return false
+	}
+
 	// Equalize lengths of supplied and required credentials
 	// by hashing them
 	givenUser := sha256.Sum256(creds[0])
 	givenPass := sha256.Sum256(creds[1])
 	requiredUser := sha256.Sum256([]byte(b.opts.User))
 	requiredPass := sha256.Sum256([]byte(b.opts.Password))
 
-	if len(creds) != 2 {
-		return false
-	}
-
 	// Compare the supplied credentials to those set in our options
 	if subtle.ConstantTimeCompare(givenUser[:], requiredUser[:]) == 1 &&
 		subtle.ConstantTimeCompare(givenPass[:], requiredPass[:]) == 1 {