hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 34961] New: - HttpClient does not correctly handle escaped characters in HTTP header elements
Date Wed, 18 May 2005 14:38:42 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34961>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34961

           Summary: HttpClient does not correctly handle escaped characters
                    in HTTP header elements
           Product: HttpClient
           Version: 3.0 RC2
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: major
          Priority: P2
         Component: Commons HttpClient
        AssignedTo: httpclient-dev@jakarta.apache.org
        ReportedBy: olegk@apache.org


An excerpt from Microsoft's "How Digest Authentication Works":
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/717b450c-f4a0-4cc9-86f4-cc0633aae5f9.mspx

<quote>
* RFC 2617-compliant Digest Authentication challenges and responses must also
comply with RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 quoted string
requirements. This requirement particularly affects the use of backslash (\) and
embedded double quotes. Both must be preceded (escaped) with a backslash.

* For example, domain\username according to RFC 2616 is read as domainusername.
This reading is important because if an application sends information in this
format rather than as domain\\username, authentication fails.

* However, because this is a known issue with domain\username , if
authenticating with backslash encoding fails, Digest SSP attempts to
authenticate the response and assumes that the backslash is part of the string.
This behavior can be turned off by setting the ServerCompat registry key.
</quote>

Review and fix the ParameterParser class and classes implemeting CookieSpec or
AuthScheme interfaces

See also PR #34909

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org


Mime
View raw message