Authorization::value can construct a non-ASCII HeaderValue through Safe Rust

[yilin0518]

Hello, I found a bug in http-types 2.12.0 related to Authorization::value.

Description

Authorization::value uses HeaderValue::from_bytes_unchecked with the following justification:

// SAFETY: the internal string is validated to be ASCII.

However, Authorization does not actually enforce ASCII on credentials.

Relevant code:

• Authorization::new accepts any String for credentials
• Authorization::set_credentials also accepts any String without validation
• Authorization::value formats scheme + credentials and passes the result into HeaderValue::from_bytes_unchecked

This means Safe Rust can create an Authorization whose value contains non-ASCII UTF-8.

Minimal PoC:

use http_types::auth::Authorization;
use http_types::auth::AuthenticationScheme;

fn main() {
    // Credentials are accepted without ASCII validation.
    let mut auth = Authorization::new(AuthenticationScheme::Basic, String::new());

    // This injects non-ASCII UTF-8 into the formatted header value.
    auth.set_credentials("α".to_string());

    let header = auth.value();
    println!("{:?}", header.as_str().as_bytes());
}

Why this seems wrong:

• AuthenticationScheme formats to ASCII text.
• credentials is arbitrary String data.
• Therefore the formatted output is not guaranteed to be ASCII.
• But HeaderValue::from_bytes_unchecked is being called under the assumption that the value is ASCII.

I did not confirm Undefined Behavior with this Safe Rust PoC under Miri, so I am not reporting this as a confirmed soundness issue. However, the unsafe justification in Authorization::value appears incorrect, and the method can produce a HeaderValue that violates the crate’s documented ASCII invariant.

Suggested fixes:

• Validate credentials as ASCII in Authorization::new and set_credentials.
• Or make value return a Result<HeaderValue, Error> and use HeaderValue::from_bytes.

Thank you.