You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/03/22 13:21:25 UTC

[jira] [Commented] (COUCHDB-2974) Validate userid per RFC7613 in order to support utf-8 in username

    [ https://issues.apache.org/jira/browse/COUCHDB-2974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15206255#comment-15206255 ] 

ASF GitHub Bot commented on COUCHDB-2974:
-----------------------------------------

Github user iilyak commented on the pull request:

    https://github.com/apache/couchdb-chttpd/pull/109#issuecomment-199785630
  
    @kxepal: I did create a jira ticket [COUCHDB-2974](https://issues.apache.org/jira/browse/COUCHDB-2974) to track utf-8 support.


> Validate userid per RFC7613 in order to support utf-8 in username
> -----------------------------------------------------------------
>
>                 Key: COUCHDB-2974
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2974
>             Project: CouchDB
>          Issue Type: New Feature
>            Reporter: ILYA
>
> Currently utf-8 in userid is not supported. Since it doesn't seem possible to transmit utf-8 in a http header. We use basic auth which is based on headers. There is a new [RFC7617|https://datatracker.ietf.org/doc/rfc7617/] is going to support utf-8. In order to avoid security issues with utf-8 we should either forbid utf-8 in userid or validate it to prohibit certain inputs. There is a proposed [RFC7613|https://datatracker.ietf.org/doc/rfc7613/] which defines what can be in a userid and what shouldn't be there. 
> We need to be aware though that some clients decided to support utf-8 in a non standard way.
> * [httpie|https://github.com/jkbrzt/httpie/blob/25d1e8e418425a208eca285cbe435a5914da542c/httpie/plugins/builtin.py#L29] - enforce utf-8 encoding
> * [curl|https://github.com/jkbrzt/httpie/issues/212#issuecomment-41280312] - relies on the implementation detail of base64 cli tool on *nix's
> * Opera uses UTF-8;
> * IE uses the system's default codepage (which you have no way of knowing, other than it's never UTF-8), and silently mangles characters that don't fit into to it using the Windows ‘guess a random character that looks a bit like the one you wanted or maybe just not’ secret recipe;
>  * Mozilla uses only the lower byte of character codepoints, which has the effect of encoding to ISO-8859-1 and mangling the non-8859-1 characters irretrievably... except when doing XMLHttpRequests, in which case it uses UTF-8;
>  * Safari and Chrome encode to ISO-8859-1, and fail to send the authorization header at all when a non-8859-1 character is used.
> The info about browsers is from http://stackoverflow.com/a/703341



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)