Logging: Handle auth type case insensitively

According RFC-7617 (inherited from RFC-2978) schema and parameter names are handled case insensitively: ``` Note that both scheme and parameter names are matched case- insensitively. ``` Signed-off-by: Martin Bašti <mbasti@redhat.com>
benoitc · Jul 17, 2019 · 7e640f8 · 7e640f8
1 parent dc7b5d5
commit 7e640f8
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/gunicorn/glogging.py b/gunicorn/glogging.py
@@ -445,7 +445,7 @@ def _set_syslog_handler(self, log, cfg, fmt, name):
     def _get_user(self, environ):
         user = None
         http_auth = environ.get("HTTP_AUTHORIZATION")
-        if http_auth and http_auth.startswith('Basic'):
+        if http_auth and http_auth.lower().startswith('basic'):
             auth = http_auth.split(" ", 1)
             if len(auth) == 2:
                 try:

diff --git a/tests/test_logger.py b/tests/test_logger.py
@@ -1,6 +1,8 @@
 import datetime
 from types import SimpleNamespace
 
+import pytest
+
 from gunicorn.config import Config
 from gunicorn.glogging import Logger
 
@@ -47,7 +49,13 @@ def test_atoms_zero_bytes():
     assert atoms['B'] == 0
 
 
-def test_get_username_from_basic_auth_header():
+@pytest.mark.parametrize('auth', [
+    # auth type is case in-sensitive
+    'Basic YnJrMHY6',
+    'basic YnJrMHY6',
+    'BASIC YnJrMHY6',
+])
+def test_get_username_from_basic_auth_header(auth):
     request = SimpleNamespace(headers=())
     response = SimpleNamespace(
         status='200', response_length=1024, sent=1024,
@@ -57,7 +65,7 @@ def test_get_username_from_basic_auth_header():
         'REQUEST_METHOD': 'GET', 'RAW_URI': '/my/path?foo=bar',
         'PATH_INFO': '/my/path', 'QUERY_STRING': 'foo=bar',
         'SERVER_PROTOCOL': 'HTTP/1.1',
-        'HTTP_AUTHORIZATION': 'Basic YnJrMHY6',
+        'HTTP_AUTHORIZATION': auth,
     }
     logger = Logger(Config())
     atoms = logger.atoms(response, request, environ, datetime.timedelta(seconds=1))