Logging: Handle auth type case insensitively

According RFC-7617 (inherited from RFC-2978) schema and parameter names are handled case insensitively: ``` Note that both scheme and parameter names are matched case- insensitively. ``` Signed-off-by: Martin Bašti <mbasti@redhat.com>
2026-01-14 11:09:11 +08:00 · 2019-07-11 19:01:43 +02:00 · 2019-07-11 19:01:43 +02:00 · 7e640f804c
commit 7e640f804c
parent dc7b5d5c48
2 changed files with 11 additions and 3 deletions
--- a/gunicorn/glogging.py
+++ b/gunicorn/glogging.py
@ -445,7 +445,7 @@ class Logger(object):
    def _get_user(self, environ):
        user = None
        http_auth = environ.get("HTTP_AUTHORIZATION")
-        if http_auth and http_auth.startswith('Basic'):
+        if http_auth and http_auth.lower().startswith('basic'):
            auth = http_auth.split(" ", 1)
            if len(auth) == 2:
                try:
--- a/tests/test_logger.py
+++ b/tests/test_logger.py
@ -1,6 +1,8 @@
 import datetime
 from types import SimpleNamespace

+import pytest
+
 from gunicorn.config import Config
 from gunicorn.glogging import Logger

@ -47,7 +49,13 @@ def test_atoms_zero_bytes():
    assert atoms['B'] == 0


-def test_get_username_from_basic_auth_header():
+@pytest.mark.parametrize('auth', [
+    # auth type is case in-sensitive
+    'Basic YnJrMHY6',
+    'basic YnJrMHY6',
+    'BASIC YnJrMHY6',
+])
+def test_get_username_from_basic_auth_header(auth):
    request = SimpleNamespace(headers=())
    response = SimpleNamespace(
        status='200', response_length=1024, sent=1024,
@ -57,7 +65,7 @@ def test_get_username_from_basic_auth_header():
        'REQUEST_METHOD': 'GET', 'RAW_URI': '/my/path?foo=bar',
        'PATH_INFO': '/my/path', 'QUERY_STRING': 'foo=bar',
        'SERVER_PROTOCOL': 'HTTP/1.1',
-        'HTTP_AUTHORIZATION': 'Basic YnJrMHY6',
+        'HTTP_AUTHORIZATION': auth,
    }
    logger = Logger(Config())
    atoms = logger.atoms(response, request, environ, datetime.timedelta(seconds=1))