Prevent invalid tokens from breaking HTTP header syntax

Author: kornelski

src/cargo/core/package.rs

@@ -1,3 +1,4 @@
+use crates_io::check_token;
 use std::cell::{Cell, Ref, RefCell, RefMut};
 use std::cmp::Ordering;
 use std::collections::{BTreeMap, BTreeSet, HashMap, HashSet};
@@ -743,6 +744,7 @@ impl<'a, 'gctx> Downloads<'a, 'gctx> {
         // Add authorization header.
         if let Some(authorization) = authorization {
             let mut headers = curl::easy::List::new();
+            check_token(&authorization)?;
             headers.append(&format!("Authorization: {}", authorization))?;
             handle.http_headers(headers)?;
         }

src/cargo/sources/registry/http_remote.rs

@@ -15,6 +15,7 @@ use crate::util::{auth, Filesystem, GlobalContext, IntoUrl, Progress, ProgressSt
 use anyhow::Context as _;
 use cargo_credential::Operation;
 use cargo_util::paths;
+use crates_io::check_token;
 use curl::easy::{Easy, List};
 use curl::multi::{EasyHandle, Multi};
 use std::cell::RefCell;
@@ -663,6 +664,7 @@ impl<'gctx> RegistryData for HttpRegistry<'gctx> {
                 self.auth_error_headers.clone(),
                 true,
             )?;
+            check_token(&authorization)?;
             headers.append(&format!("Authorization: {}", authorization))?;
             trace!(target: "network", "including authorization for {}", full_url);
         }

tests/testsuite/registry_auth.rs

@@ -390,6 +390,34 @@ Caused by:
         .run();
 }
 
+#[cargo_test]
+fn syntactically_invalid_token() {
+    let _registry = RegistryBuilder::new()
+        .alternative()
+        .auth_required()
+        .no_configure_token()
+        .http_index()
+        .build();
+
+    let p = make_project();
+    cargo(&p, "build")
+        .env("CARGO_REGISTRIES_ALTERNATIVE_TOKEN", "\t\n悪")
+        .with_status(101)
+        .with_stderr_data(str![[r#"
+[UPDATING] `alternative` index
+[ERROR] failed to get `bar` as a dependency of package `foo v0.0.1 ([ROOT]/foo)`
+
+Caused by:
+  Token for registry `alternative` is invalid (defined in environment variable `CARGO_REGISTRIES_ALTERNATIVE_TOKEN`)
+
+Caused by:
+  token contains invalid characters.
+  Only printable ASCII characters are allowed as it is sent in a HTTPS header.
+
+"#]])
+        .run();
+}
+
 #[cargo_test]
 fn incorrect_token_git() {
     let _registry = RegistryBuilder::new()