Return-Path: X-Original-To: apmail-hc-dev-archive@www.apache.org Delivered-To: apmail-hc-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0BC4E1780C for ; Sat, 11 Oct 2014 12:44:34 +0000 (UTC) Received: (qmail 84801 invoked by uid 500); 11 Oct 2014 12:44:33 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 84756 invoked by uid 500); 11 Oct 2014 12:44:33 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 84745 invoked by uid 99); 11 Oct 2014 12:44:33 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Oct 2014 12:44:33 +0000 Date: Sat, 11 Oct 2014 12:44:33 +0000 (UTC) From: "Oleg Kalnichevski (JIRA)" To: dev@hc.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HTTPCLIENT-1566) Obvious bug in HTTP Basic Authentication! MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HTTPCLIENT-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Oleg Kalnichevski updated HTTPCLIENT-1566: ------------------------------------------ Priority: Major (was: Blocker) Fix Version/s: 4.3.5.1-android > Obvious bug in HTTP Basic Authentication! > ----------------------------------------- > > Key: HTTPCLIENT-1566 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1566 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: Android Port > Affects Versions: 4.3.5 > Reporter: Rainer Burgstaller > Fix For: 4.3.5.1-android > > > There is an obvious bug in android httpclient 4.3.5 in {{BasicSchemeHC4.authenticate()}} > {code:java} > /** > * Produces basic authorization header for the given set of {@link Credentials}. > * > * @param credentials The set of credentials to be used for authentication > * @param request The request being authenticated > * @throws org.apache.http.auth.InvalidCredentialsException if authentication > * credentials are not valid or not applicable for this authentication scheme > * @throws AuthenticationException if authorization string cannot > * be generated due to an authentication failure > * > * @return a basic authorization string > */ > @Override > public Header authenticate( > final Credentials credentials, > final HttpRequest request, > final HttpContext context) throws AuthenticationException { > Args.notNull(credentials, "Credentials"); > Args.notNull(request, "HTTP request"); > final StringBuilder tmp = new StringBuilder(); > tmp.append(credentials.getUserPrincipal().getName()); > tmp.append(":"); > tmp.append((credentials.getPassword() == null) ? "null" : credentials.getPassword()); > final byte[] base64password = Base64.decode( > EncodingUtils.getBytes(tmp.toString(), getCredentialsCharset(request)), > Base64.NO_WRAP); > {code} > It is quite obvious that decoding a plaintext string "username:password" as Base64 will not work. The bug was introduced in revision {{1.616.447}}. > This is the original code from HC > {code:java} > final byte[] base64password = base64codec.encode( > EncodingUtils.getBytes(tmp.toString(), getCredentialsCharset(request))); > {code} > Please fix asap. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org