From cf5a01ea61c351664179ff93148fa942e27c577a Mon Sep 17 00:00:00 2001
From: lecaros <lecaros@calyptia.com>
Date: Wed, 23 Oct 2024 13:42:19 -0700
Subject: [PATCH] in_splunk: splunk token validation must be case-insensitive,
 since that's the behavior from Splunk HEC

Signed-off-by: lecaros <lecaros@calyptia.com>
---
 plugins/in_splunk/splunk_prot.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/in_splunk/splunk_prot.c b/plugins/in_splunk/splunk_prot.c
index cf614b06679..2a599dfd95f 100644
--- a/plugins/in_splunk/splunk_prot.c
+++ b/plugins/in_splunk/splunk_prot.c
@@ -513,7 +513,7 @@ static int validate_auth_header(struct flb_splunk *ctx, struct mk_http_request *
                 continue;
             }
 
-            if (strncmp(splunk_token->header,
+            if (strncasecmp(splunk_token->header,
                         authorization,
                         splunk_token->length) == 0) {
                 flb_sds_destroy(authorization);
@@ -992,7 +992,7 @@ static int validate_auth_header_ng(struct flb_splunk *ctx, struct flb_http_reque
                 return SPLUNK_AUTH_UNAUTHORIZED;
             }
 
-            if (strncmp(splunk_token->header,
+            if (strncasecmp(splunk_token->header,
                         auth_header,
                         splunk_token->length) == 0) {
                 return SPLUNK_AUTH_SUCCESS;