From 24d6972f6b31521f96a626dd31746506d3145fa2 Mon Sep 17 00:00:00 2001
From: Nis Wechselberg <enbewe@enbewe.de>
Date: Wed, 9 Jul 2025 23:01:03 +0200
Subject: [PATCH] fix: ASCII equal fold for authorization header (#8391)

For the "Authorization:" header only lowercase "token" was accepted. This change allows uppercase "Token" as well.

Signed-off-by: Nis Wechselberg <enbewe@enbewe.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8391
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Nis Wechselberg <enbewe@enbewe.de>
Co-committed-by: Nis Wechselberg <enbewe@enbewe.de>
---
 modules/util/string.go       | 22 ++++++++++++++++++++++
 modules/util/string_test.go  | 26 ++++++++++++++++++++++++++
 services/auth/oauth2.go      |  3 ++-
 services/auth/oauth2_test.go | 28 ++++++++++++++++++++++++++++
 4 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/modules/util/string.go b/modules/util/string.go
index cf50f591c6..ca3d43ec6e 100644
--- a/modules/util/string.go
+++ b/modules/util/string.go
@@ -95,3 +95,25 @@ func UnsafeBytesToString(b []byte) string {
 func UnsafeStringToBytes(s string) []byte {
 	return unsafe.Slice(unsafe.StringData(s), len(s))
 }
+
+// AsciiEqualFold is taken from Golang, but reimplemented here, since the original is not exposed to public
+// Taken from: https://cs.opensource.google/go/go/+/refs/tags/go1.24.4:src/net/http/internal/ascii/print.go
+func ASCIIEqualFold(s, t string) bool {
+	if len(s) != len(t) {
+		return false
+	}
+	for i := 0; i < len(s); i++ {
+		if ASCIILower(s[i]) != ASCIILower(t[i]) {
+			return false
+		}
+	}
+	return true
+}
+
+// AsciiLower returns the ASCII lowercase version of b.
+func ASCIILower(b byte) byte {
+	if 'A' <= b && b <= 'Z' {
+		return b + ('a' - 'A')
+	}
+	return b
+}
diff --git a/modules/util/string_test.go b/modules/util/string_test.go
index 0a4a8bbcfb..1012ab32a4 100644
--- a/modules/util/string_test.go
+++ b/modules/util/string_test.go
@@ -45,3 +45,29 @@ func TestToSnakeCase(t *testing.T) {
 		assert.Equal(t, expected, ToSnakeCase(input))
 	}
 }
+
+func TestASCIIEqualFold(t *testing.T) {
+	cases := map[string]struct {
+		First    string
+		Second   string
+		Expected bool
+	}{
+		"Empty String":          {First: "", Second: "", Expected: true},
+		"Single Letter Ident":   {First: "h", Second: "h", Expected: true},
+		"Single Letter Equal":   {First: "h", Second: "H", Expected: true},
+		"Single Letter Unequal": {First: "h", Second: "g", Expected: false},
+		"Simple Match Ident":    {First: "someString", Second: "someString", Expected: true},
+		"Simple Match Equal":    {First: "someString", Second: "someSTRIng", Expected: true},
+		"Simple Match Unequal":  {First: "someString", Second: "sameString", Expected: false},
+		"Different Length":      {First: "abcdef", Second: "abcdefg", Expected: false},
+		"Unicode Kelvin":        {First: "ghijklm", Second: "GHIJ\u212ALM", Expected: false},
+	}
+
+	for name := range cases {
+		c := cases[name]
+		t.Run(name, func(t *testing.T) {
+			Actual := ASCIIEqualFold(c.First, c.Second)
+			assert.Equal(t, c.Expected, Actual)
+		})
+	}
+}
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
index 093940aa18..4fdd15d7ec 100644
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -17,6 +17,7 @@ import (
 	"forgejo.org/modules/log"
 	"forgejo.org/modules/setting"
 	"forgejo.org/modules/timeutil"
+	"forgejo.org/modules/util"
 	"forgejo.org/modules/web/middleware"
 	"forgejo.org/services/actions"
 	"forgejo.org/services/auth/source/oauth2"
@@ -125,7 +126,7 @@ func parseToken(req *http.Request) (string, bool) {
 	// check header token
 	if auHead := req.Header.Get("Authorization"); auHead != "" {
 		auths := strings.Fields(auHead)
-		if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
+		if len(auths) == 2 && (util.ASCIIEqualFold(auths[0], "token") || util.ASCIIEqualFold(auths[0], "bearer")) {
 			return auths[1], true
 		}
 	}
diff --git a/services/auth/oauth2_test.go b/services/auth/oauth2_test.go
index d6455b33ad..3fce7df50b 100644
--- a/services/auth/oauth2_test.go
+++ b/services/auth/oauth2_test.go
@@ -4,6 +4,7 @@
 package auth
 
 import (
+	"net/http"
 	"testing"
 
 	"forgejo.org/models/unittest"
@@ -52,3 +53,30 @@ func TestCheckTaskIsRunning(t *testing.T) {
 		})
 	}
 }
+
+func TestParseToken(t *testing.T) {
+	cases := map[string]struct {
+		Header        string
+		ExpectedToken string
+		Expected      bool
+	}{
+		"Token Uppercase":  {Header: "Token 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
+		"Token Lowercase":  {Header: "token 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
+		"Token Unicode":    {Header: "to\u212Aen 1234567890123456789012345687901325467890", ExpectedToken: "", Expected: false},
+		"Bearer Uppercase": {Header: "Bearer 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
+		"Bearer Lowercase": {Header: "bearer 1234567890123456789012345687901325467890", ExpectedToken: "1234567890123456789012345687901325467890", Expected: true},
+		"Missing type":     {Header: "1234567890123456789012345687901325467890", ExpectedToken: "", Expected: false},
+		"Three Parts":      {Header: "abc 1234567890 test", ExpectedToken: "", Expected: false},
+	}
+
+	for name := range cases {
+		c := cases[name]
+		t.Run(name, func(t *testing.T) {
+			req, _ := http.NewRequest("GET", "/", nil)
+			req.Header.Add("Authorization", c.Header)
+			ActualToken, ActualSuccess := parseToken(req)
+			assert.Equal(t, c.ExpectedToken, ActualToken)
+			assert.Equal(t, c.Expected, ActualSuccess)
+		})
+	}
+}