Authentication fails when password contains one or more colons

[zn8nz]

The split method chops the password into parts if the password contains a colon, then the total credentialsParts.length > 2. The HTTP Basic Authentication spec does not restrict passwords this way.

var credentialsParts = new Buffer(parts[1], 'base64').toString().split(':');
if (credentialsParts.length !== 2) {
return reply(Boom.badRequest('Bad header internal syntax', 'Basic'));
}

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.