Merge branch 'fix-http-password-capture' of https://github.com/p-l-/zeek

* 'fix-http-password-capture' of https://github.com/p-l-/zeek: http: fix password capture when enabled
2025-10-02 14:48:21 +00:00 · 2024-08-30 18:56:24 +02:00 · 2024-08-30 18:56:24 +02:00 · c27e18631c
commit c27e18631c
parent 435770f99a 88368ae856
6 changed files with 32 additions and 3 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+7.1.0-dev.232 | 2024-08-30 18:56:24 +0200
+
+  * http: fix password capture when enabled (Pierre Lalet)
+
+    The current implementation would only log, if the password contains a
+    colon, the part before the first colon (e.g., the password
+    `password:password` would be logged as `password`).
+
+    A test has been added to confirm the expected behaviour.
+
 7.1.0-dev.230 | 2024-08-30 15:38:52 +0200

  * RunState: Drop broker_mgr->Active() usage (Arne Welzel, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-7.1.0-dev.230
+7.1.0-dev.232
--- a/scripts/base/protocols/http/main.zeek
+++ b/scripts/base/protocols/http/main.zeek
@ -338,8 +338,8 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 			if ( /^[bB][aA][sS][iI][cC] / in value )
 				{
 				local userpass = decode_base64_conn(c$id, sub(value, /[bB][aA][sS][iI][cC][[:blank:]]+/, ""));
-				local up = split_string(userpass, /:/);
-				if ( |up| >= 2 )
+				local up = split_string1(userpass, /:/);
+				if ( |up| == 2 )
 					{
 					c$http$username = up[0];
 					if ( c$http$capture_password )
--- a/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log
+++ b/testing/btest/Baseline/scripts.base.protocols.http.http-basic-auth-colon/http.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	http
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
+#types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.24.133.205	43090	172.24.133.205	8000	1	GET	172.24.133.205:8000	/	-	1.0	python-requests/2.31.0	-	0	643	200	OK	-	-	(empty)	test	1:34	-	-	-	-	FM4Ls72L4REzbA61lg	-	text/html
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Traces/http/basic-auth-with-colon.trace
+++ b/testing/btest/Traces/http/basic-auth-with-colon.trace
--- a/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek
+++ b/testing/btest/scripts/base/protocols/http/http-basic-auth-colon.zeek
@ -0,0 +1,8 @@
+# Authorization: Basic password has a colon in its value
+#
+# @TEST-EXEC: zeek -b -r $TRACES/http/basic-auth-with-colon.trace %INPUT
+# @TEST-EXEC: btest-diff http.log
+
+@load base/protocols/http
+
+redef HTTP::default_capture_password = T;