You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Roy T. Fielding" <fi...@liege.ICS.UCI.EDU> on 1996/06/23 19:22:50 UTC
Re: WWW Form Bug Report: "Basic Auth passwords strip leading colon" on Linux (fwd)
>> No ack. I don't see the bug though.
>
> The bug is that getword, when presented with "abc::def" will skip both colons,
> resulting in a password of "def". If getword_nulls is used instead, the
> password is ":def". I guess he's probably right, but perhaps the client is
> broken. Or the spec. Hmmm, wonder what 1.1 says.
The server is broken -- the patch (reversed) will fix it, I think.
The spec says
basic-credentials = "Basic" SP basic-cookie
basic-cookie = <base64 [7] encoding of user-pass,
except not limited to 76 char/line>
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
but note that his patch is reversed.
.....Roy
>> > *** http_protocol.c Fri Jun 21 19:36:41 1996
>> > --- http_protocol.c-dist Mon Jun 17 16:55:25 1996
>> > ***************
>> > *** 582,588 ****
>> > }
>> >
>> > t = uudecode (r->pool, auth_line);
>> > ! r->connection->user = getword_nulls (r->pool, &t, ':');
>> > r->connection->auth_type = "Basic";
>> >
>> > *pw = t;
>> > --- 582,588 ----
>> > }
>> >
>> > t = uudecode (r->pool, auth_line);
>> > ! r->connection->user = getword (r->pool, &t, ':');
>> > r->connection->auth_type = "Basic";
>> >
>> > *pw = t;
>> >