From 88368ae8563e4207a689921b2e4236946ce3301a Mon Sep 17 00:00:00 2001
From: Pierre Lalet <pierre@droids-corp.org>
Date: Wed, 28 Aug 2024 21:44:39 +0200
Subject: [PATCH] http: fix password capture when enabled

The current implementation would only log, if the password contains a
colon, the part before the first colon (e.g., the password
`password:password` would be logged as `password`).

A test has been added to confirm the expected behaviour.
---
 scripts/base/protocols/http/main.zeek            |   4 ++--
 .../http.log                                     |  11 +++++++++++
 .../Traces/http/basic-auth-with-colon.trace      | Bin 0 -> 1840 bytes
 .../protocols/http/http-basic-auth-colon.zeek    |   8 ++++++++
 4 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log
 create mode 100644 testing/btest/Traces/http/basic-auth-with-colon.trace
 create mode 100644 testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek

diff --git a/scripts/base/protocols/http/main.zeek b/scripts/base/protocols/http/main.zeek
index 0f65c6b984..e334a83253 100644
--- a/scripts/base/protocols/http/main.zeek
+++ b/scripts/base/protocols/http/main.zeek
@@ -338,8 +338,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			if ( /^[bB][aA][sS][iI][cC] / in value )
 				{
 				local userpass = decode_base64_conn(c$id, sub(value, /[bB][aA][sS][iI][cC][[:blank:]]+/, ""));
-				local up = split_string(userpass, /:/);
-				if ( |up| >= 2 )
+				local up = split_string1(userpass, /:/);
+				if ( |up| == 2 )
 					{
 					c$http$username = up[0];
 					if ( c$http$capture_password )
diff --git a/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log b/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log
new file mode 100644
index 0000000000..e386f15fb5
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.24.133.205	43090	172.24.133.205	8000	1	GET	172.24.133.205:8000	/	-	1.0	python-requests/2.31.0	-	0	643	200	OK	-	-	(empty)	test	1:34	-	-	-	-	FM4Ls72L4REzbA61lg	-	text/html
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/http/basic-auth-with-colon.trace b/testing/btest/Traces/http/basic-auth-with-colon.trace
new file mode 100644
index 0000000000000000000000000000000000000000..c1b03b6ecbad02a99d58e70d607337d0279a05fd
GIT binary patch
literal 1840
zcmZ{lO>Epm6vroSC}hP-El3dH(7^|Us;tNR(WG&lRnmBsLb6GeZ27twdv@2vv5h^O
zbfZ0l11EYxLgiX+Edo&?RTXDcI8;q8g(6X@2M`=URga|~THcJ;X}#^PG&|#+H$VU9
zKkv<6|MB~;Bs7eYPq&NEpYV|TZMVMk(g@OF%v%LI<L(TaIr#bAZ$>}8#@qSTBQxmI
zXTS5c=cMk9A6`UA8t&d0mY&Phf8Nyi??VR;Jj+=>^|27*tY7aWtRpk$SFZ%)-vRID
zxfi-uZ~dEQabCh2eR%|xfXy4|DjEL?UEPG$({&Sg7k3Ux=->s=F%)a!9InR(#%);7
z8!&Dg_XNXuDq~ba|J+J5<|{Q!@X1<jh2)idHgnRCn1=Hc1*K3@^2MT3P>*THRaMPq
zPDM1#%{Hh90YRHJeJ>Z%k6Sci5h*CeyaF+^mPG@Wt9X`gJ6=P>jcq3w!#1tECZox`
zhL4h?+02~pdDLQ#?`e3Q(jaHL&L$6P0X%fJ&3NjB895fl_WV2Bw&9;%{-_Es%4YcP
z$41i*b{6>VKlnD;eeX0bqDyDa?i?EGK659%d(QX-7<=FzZ{XlwXHhT?Ka~LvJ`Z`)
zJB2BJ3O(;sTu@cKypYYT(QuQ78eVfY0+)(uRT;-C!ZK1+^6-?+7~qG7tG+je3*-3h
zmIvz#MVwc)V?_-}^VOPgh=JcZ)(#+;(bJ4H*@ioXt)>}9lufr-J$L+3+#>ZFtf}Gg
zQZcdUk3Nfx`yxReCfkdX?9ACK!Nh{FXf3t9DQ*#YWdvQ8kZ2VoUG7vl<GnW%Mr`xM
zg0LAZD!-9t=&u{gbG7$ZDv)T^MZ9wA#Nu0XSk4jhZgGwfqh`btB}L5>QdyF*++-}!
z2-(`&QnreUA2vvBRqVY)A{IIpQ*36-<&4h#;2kw>=r$-bF<+a5%yc%VWymq%U=19U
zu@yf}%Y&@sMCLG;mJKI_-1NgXcAbbpF5|i%Vxp6HI-`@`D?jw@HW!c|yaeVTAcU_L
z*XlZD9aM(2J}oN^hY`6fI-QthoxtpqAx^{dLmJ1$;{m~z+lm;}sZ9gdZz~(%(Gx!n
zSXysc>q=mmfn44n4hRiQYu#*65T1+%1-h+<<MFt7Fd%HTGHX;TLhb%=Kxjw<KV&u_
zlhI>=MEEP5CcSeJNmCZL#TSsqsr&YUD1`?}8b2z9$z3Rgd(toIH0Gu7cORp(ByNkZ
z6GmJLle?l64ogV7w$ISvwh-m?*Q<Rx9ts`z6UJjY_I5bqYKozA9h0x68J%UJ<3hsd
O>DU7uU-JKse#ZY7z(KtL

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek b/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek
new file mode 100644
index 0000000000..6cef93eba7
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek
@@ -0,0 +1,8 @@
+# Authorization: Basic password has a colon in its value
+#
+# @TEST-EXEC: zeek -b -r $TRACES/http/basic-auth-with-colon.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+
+@load base/protocols/http
+
+redef HTTP::default_capture_password = T;