You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "Roy T. Fielding" <fi...@liege.ICS.UCI.EDU> on 1996/06/23 19:22:50 UTC

Re: WWW Form Bug Report: "Basic Auth passwords strip leading colon" on Linux (fwd)

>> No ack.  I don't see the bug though.
> 
> The bug is that getword, when presented with "abc::def" will skip both colons,
> resulting in a password of "def". If getword_nulls is used instead, the
> password is ":def". I guess he's probably right, but perhaps the client is
> broken. Or the spec. Hmmm, wonder what 1.1 says.

The server is broken -- the patch (reversed) will fix it, I think.
The spec says

       basic-credentials = "Basic" SP basic-cookie
 
       basic-cookie   = <base64 [7] encoding of user-pass,
                        except not limited to 76 char/line>
 
       user-pass   = userid ":" password
 
       userid      = *<TEXT excluding ":">
 
       password    = *TEXT

but note that his patch is reversed.

.....Roy

>> > *** http_protocol.c     Fri Jun 21 19:36:41 1996
>> > --- http_protocol.c-dist        Mon Jun 17 16:55:25 1996
>> > ***************
>> > *** 582,588 ****
>> >       }
>> >
>> >       t = uudecode (r->pool, auth_line);
>> > !     r->connection->user = getword_nulls (r->pool, &t, ':');
>> >       r->connection->auth_type = "Basic";
>> >
>> >       *pw = t;
>> > --- 582,588 ----
>> >       }
>> >
>> >       t = uudecode (r->pool, auth_line);
>> > !     r->connection->user = getword (r->pool, &t, ':');
>> >       r->connection->auth_type = "Basic";
>> >
>> >       *pw = t;
>> >