1 files changed, 43 insertions, 15 deletions

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index c87f7dbbd..95be6552b 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -263,29 +263,57 @@ namespace Emby.Server.Implementations.HttpServer.Security
                 return null;
             }
 
-            authorizationHeader = authorizationHeader[(firstSpace + 1)..];
+            // Remove up until the first space
+            authorizationHeader = parts[1];
+            return GetParts(authorizationHeader);
+        }
 
-            var result = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+        /// <summary>
+        /// Get the authorization header components.
+        /// </summary>
+        /// <param name="authorizationHeader">The authorization header.</param>
+        /// <returns>string</returns>
+        public static Dictionary<string, string> GetParts(string authorizationHeader)
+        {
+            var result = new Dictionary<string, string>();
+            var escaped = false;
+            int start = 0;
+            string key = string.Empty;
 
-            foreach (var item in authorizationHeader.Split(','))
+            int i;
+            for (i = 0; i < authorizationHeader.Length; i++)
             {
-                var trimmedItem = item.Trim();
-                var firstEqualsSign = trimmedItem.IndexOf('=');
-
-                if (firstEqualsSign > 0)
+                var token = authorizationHeader[i];
+                if (token == '"' || token == ',')
+                {
+                    // Applying a XOR logic to evaluate whether it is opening or closing a value
+                    escaped = (!escaped) == (token == '"');
+                    if (token == ',' && !escaped)
+                    {
+                        // Meeting a comma after a closing escape char means the value is complete
+                        if (start < i)
+                        {
+                            result[key] = WebUtility.UrlDecode(authorizationHeader[start..i].Trim('"'));
+                            key = string.Empty;
+                        }
+
+                        start = i + 1;
+                    }
+                }
+                else if (!escaped && token == '=')
                 {
-                    var key = trimmedItem[..firstEqualsSign].ToString();
-                    var value = NormalizeValue(trimmedItem[(firstEqualsSign + 1)..].Trim('"').ToString());
-                    result[key] = value;
+                    key = authorizationHeader[start.. i];
+                    start = i + 1;
                 }
             }
 
-            return result;
-        }
+            // Add last value
+            if (start < i)
+            {
+                result[key] = WebUtility.UrlDecode(authorizationHeader[start..i].Trim('"'));
+            }
 
-        private static string NormalizeValue(string value)
-        {
-            return string.IsNullOrEmpty(value) ? value : WebUtility.HtmlEncode(value);
+            return result;
         }
     }
 }