From 8b9de77cd25a4c07bdeec8c7ef8a6c7911ac98f7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 1 May 2021 23:38:15 +0200 Subject: [PATCH] http: fix the check for 'Authorization' with Bearer The code would wrongly check for it using an additional colon. Reported-by: Blake Burkhart Closes #6988 --- lib/http.c | 2 +- lib/transfer.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/http.c b/lib/http.c index 3cb21760d..e59ee6c2d 100644 --- a/lib/http.c +++ b/lib/http.c @@ -740,7 +740,7 @@ output_auth_headers(struct Curl_easy *data, if(authstatus->picked == CURLAUTH_BEARER) { /* Bearer */ if((!proxy && data->set.str[STRING_BEARER] && - !Curl_checkheaders(data, "Authorization:"))) { + !Curl_checkheaders(data, "Authorization"))) { auth = "Bearer"; result = http_output_bearer(data); if(result) diff --git a/lib/transfer.c b/lib/transfer.c index c31e22e00..3ed321dd4 100644 --- a/lib/transfer.c +++ b/lib/transfer.c @@ -99,6 +99,8 @@ char *Curl_checkheaders(const struct Curl_easy *data, { struct curl_slist *head; size_t thislen = strlen(thisheader); + DEBUGASSERT(thislen); + DEBUGASSERT(thisheader[thislen-1] != ':'); for(head = data->set.headers; head; head = head->next) { if(strncasecompare(head->data, thisheader, thislen) &&