Fix ArgumentOutOfRangeException when validating Basic Authorization header

benyu23 · benyu23 · commit de2844edd840 · 2026-05-10T19:41:34.000+08:00
diff --git a/Tests/HttpUnitTests/HttpListenerRequest.cs b/Tests/HttpUnitTests/HttpListenerRequest.cs
@@ -0,0 +1,31 @@
+﻿// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Net;
+using nanoFramework.TestFramework;
+
+namespace HttpUnitTests
+{
+    internal class HttpListenerRequestTests
+    {
+        // Verifies that malformed Authorization header (no space) does not cause a crash
+        [TestMethod]
+        public void Add_Authorization_NoSpaceMultipleChars_ShouldNotThrow()
+        {
+            var headers = new WebHeaderCollection();
+            headers.Add("Authorization: a111111");
+            string value = headers["Authorization"];
+            Assert.AreEqual("a111111", value);
+        }
+
+        // Verifies that a properly formatted Authorization header (with space) is parsed and stored correctly
+        [TestMethod]
+        public void Add_Authorization_ValidBasicToken_ShouldSucceed()
+        {
+            var headers = new WebHeaderCollection();
+            headers.Add("Authorization: Basic a111111");
+            string value = headers["Authorization"];
+            Assert.AreEqual("Basic a111111", value);
+        }
+    }
+}
diff --git a/Tests/HttpUnitTests/HttpUnitTests.nfproj b/Tests/HttpUnitTests/HttpUnitTests.nfproj
@@ -26,6 +26,7 @@
   </PropertyGroup>
   <Import Project="$(NanoFrameworkProjectSystemPath)NFProjectSystem.props" Condition="Exists('$(NanoFrameworkProjectSystemPath)NFProjectSystem.props')" />
   <ItemGroup>
+    <Compile Include="HttpListenerRequest.cs" />
     <Compile Include="HttpUtilityTest.cs" />
     <Compile Include="StreamContentTest.cs" />
     <Compile Include="ByteArrayContentTest.cs" />
diff --git a/nanoFramework.System.Net.Http/Http/System.Net.HttpListenerRequest.cs b/nanoFramework.System.Net.Http/Http/System.Net.HttpListenerRequest.cs
@@ -1,4 +1,4 @@
-//
+﻿//
 // Copyright (c) .NET Foundation and Contributors
 // Portions Copyright (c) Microsoft Corporation.  All rights reserved.
 // See LICENSE file in the project root for full license information.
@@ -206,21 +206,26 @@ internal void ParseHTTPRequest()
                 if (headerName == "authorization")
                 {
                     int sepSpace = headerValue.IndexOf(' ');
-                    string authType = headerValue.Substring(0, sepSpace);
-                    if (authType.ToLower() == "basic")
+                    // Authorization header value must be in format "type credentials". If not, ignore.
+                    if (sepSpace > 0)
                     {
-                        string authInfo = headerValue.Substring(sepSpace + 1);
-                        // authInfo is base64 encoded username and password.
-                        byte[] authInfoDecoded = Convert.FromBase64String(authInfo);
-                        char[] authInfoDecChar = System.Text.Encoding.UTF8.GetChars(authInfoDecoded);
-                        string strAuthInfo = new string(authInfoDecChar);
-                        // The strAuthInfo comes in format username:password. Parse it.
-                        int sepColon = strAuthInfo.IndexOf(':');
-                        if (sepColon != -1)
+                        string authType = headerValue.Substring(0, sepSpace);
+                        if (authType.ToLower() == "basic")
                         {
-                            m_NetworkCredentials = new NetworkCredential(strAuthInfo.Substring(0, sepColon), strAuthInfo.Substring(sepColon + 1));
+                            string authInfo = headerValue.Substring(sepSpace + 1);
+                            // authInfo is base64 encoded username and password.
+                            byte[] authInfoDecoded = Convert.FromBase64String(authInfo);
+                            char[] authInfoDecChar = System.Text.Encoding.UTF8.GetChars(authInfoDecoded);
+                            string strAuthInfo = new string(authInfoDecChar);
+                            // The strAuthInfo comes in format username:password. Parse it.
+                            int sepColon = strAuthInfo.IndexOf(':');
+                            if (sepColon != -1)
+                            {
+                                m_NetworkCredentials = new NetworkCredential(strAuthInfo.Substring(0, sepColon), strAuthInfo.Substring(sepColon + 1));
+                            }
                         }
                     }
+
                 }
             }
 
