From 3e735433add7c113a05933753bb71b4e2f974c2a Mon Sep 17 00:00:00 2001
From: Jason Toffaletti <jtoffaletti@apple.com>
Date: Fri, 11 Oct 2024 23:15:08 +0200
Subject: [PATCH 1/2] add TestURLProtectionSpace.test_createWithInvalidAuth to
 test parsing an invalid www-authenticate field

---
 Tests/Foundation/TestURLProtectionSpace.swift | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/Tests/Foundation/TestURLProtectionSpace.swift b/Tests/Foundation/TestURLProtectionSpace.swift
index 9ffbe11fae..83c5f22afa 100644
--- a/Tests/Foundation/TestURLProtectionSpace.swift
+++ b/Tests/Foundation/TestURLProtectionSpace.swift
@@ -203,5 +203,22 @@ class TestURLProtectionSpace : XCTestCase {
         XCTAssertEqual(param8_2_2.name, "param")
         XCTAssertEqual(param8_2_2.value, "")
     }
+
+    func test_createWithInvalidAuth() throws {
+        let headerFields1 = [
+            "Server": "Microsoft-IIS/10.0",
+            "request-id": "c71c2202-4013-4d64-9319-d40aba6bbe5c",
+            "WWW-Authenticate": "fdsfds",
+            "X-Powered-By": "ASP.NET",
+            "X-FEServer": "AM6PR0502CA0062",
+            "Date": "Sat, 04 Apr 2020 16:19:39 GMT",
+            "Content-Length": "0",
+        ]
+        let response1 = try XCTUnwrap(HTTPURLResponse(url: URL(string: "https://outlook.office365.com/Microsoft-Server-ActiveSync")!,
+                                                      statusCode: 401,
+                                                      httpVersion: "HTTP/1.1",
+                                                      headerFields: headerFields1))
+        XCTAssertNil(URLProtectionSpace.create(with: response1))
+    }
     #endif
 }

From c670a75294a2314cdb6b32d359e09d44de2399f2 Mon Sep 17 00:00:00 2001
From: Jason Toffaletti <jtoffaletti@apple.com>
Date: Fri, 11 Oct 2024 23:22:51 +0200
Subject: [PATCH 2/2] add bounds checking to rangeOfTokenPrefix. Fixes Fatal
 error: Substring index is out of bounds

---
 Sources/FoundationNetworking/URLSession/HTTP/HTTPMessage.swift | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Sources/FoundationNetworking/URLSession/HTTP/HTTPMessage.swift b/Sources/FoundationNetworking/URLSession/HTTP/HTTPMessage.swift
index fae1e612d4..d31b7a4951 100644
--- a/Sources/FoundationNetworking/URLSession/HTTP/HTTPMessage.swift
+++ b/Sources/FoundationNetworking/URLSession/HTTP/HTTPMessage.swift
@@ -433,7 +433,7 @@ private extension String.UnicodeScalarView.SubSequence {
     var rangeOfTokenPrefix: Range<Index>? {
         guard !isEmpty else { return nil }
         var end = startIndex
-        while self[end].isValidMessageToken {
+        while end != self.endIndex && self[end].isValidMessageToken {
             end = self.index(after: end)
         }
         guard end != startIndex else { return nil }