Security: Prevent loading of usernames containing a slash

"/" is valid char in HTTP authorization headers, but is also used in rest-server to map usernames to private repos. This commit prevents loading maliciously composed usernames like "/foo/config" by restricting the allowed characters to the unicode character class, numbers, "-", "." and "@". Closes #131
2025-10-19 15:43:21 +00:00 · 2020-12-23 11:30:00 +01:00 · 2020-12-23 11:30:00 +01:00 · 33c41b55bb
commit 33c41b55bb
parent ba581f22ed
2 changed files with 22 additions and 0 deletions
--- a/changelog/unreleased/issue-131
+++ b/changelog/unreleased/issue-131
@ -0,0 +1,16 @@
 Security: Prevent loading of usernames containing a slash
 "/" is valid char in HTTP authorization headers, but is also used in
 rest-server to map usernames to private repos.
 This commit prevents loading maliciously composed usernames like
 "/foo/config" by restricting the allowed characters to the unicode
 character class, numbers, "-", "." and "@".
 This prevents requests to other users files like:
 curl -v  -X DELETE -u foo/config:attack  http://localhost:8000/foo/config
 https://github.com/restic/rest-server/issues/131
 https://github.com/restic/rest-server/pull/132
--- a/htpasswd.go
+++ b/htpasswd.go
@ -100,6 +100,8 @@ func (h *HtpasswdFile) throttleTimer() {
 	}
 }
 var validUsernameRegexp = regexp.MustCompile(`^[\p{L}@.-]+$`)
 // Reload reloads the htpasswd file. If the reload fails, the Users map is not changed and the error is returned.
 func (h *HtpasswdFile) Reload() error {
 	r, err := os.Open(h.path)
@ -119,6 +121,10 @@ func (h *HtpasswdFile) Reload() error {
 	}
 	users := make(map[string]string)
 	for _, record := range records {
 		if !validUsernameRegexp.MatchString(record[0]) {
 			log.Printf("Ignoring invalid username %q in htpasswd, consists of characters other than letters", record[0])
 			continue
 		}
 		users[record[0]] = record[1]
 	}