Return-Path: X-Original-To: apmail-hc-dev-archive@www.apache.org Delivered-To: apmail-hc-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1B40117B9D for ; Sat, 11 Oct 2014 16:19:35 +0000 (UTC) Received: (qmail 68382 invoked by uid 500); 11 Oct 2014 16:19:34 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 68286 invoked by uid 500); 11 Oct 2014 16:19:34 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 67988 invoked by uid 99); 11 Oct 2014 16:19:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Oct 2014 16:19:34 +0000 Date: Sat, 11 Oct 2014 16:19:34 +0000 (UTC) From: "Oleg Kalnichevski (JIRA)" To: dev@hc.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (HTTPCLIENT-1566) Obvious bug in HTTP Basic Authentication! MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HTTPCLIENT-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Oleg Kalnichevski resolved HTTPCLIENT-1566. ------------------------------------------- Resolution: Fixed Fixed in 4.3.5-android branch. Oleg > Obvious bug in HTTP Basic Authentication! > ----------------------------------------- > > Key: HTTPCLIENT-1566 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1566 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: Android Port > Affects Versions: 4.3.5 > Reporter: Rainer Burgstaller > Fix For: 4.3.5.1-android > > > There is an obvious bug in android httpclient 4.3.5 in {{BasicSchemeHC4.authenticate()}} > {code:java} > /** > * Produces basic authorization header for the given set of {@link Credentials}. > * > * @param credentials The set of credentials to be used for authentication > * @param request The request being authenticated > * @throws org.apache.http.auth.InvalidCredentialsException if authentication > * credentials are not valid or not applicable for this authentication scheme > * @throws AuthenticationException if authorization string cannot > * be generated due to an authentication failure > * > * @return a basic authorization string > */ > @Override > public Header authenticate( > final Credentials credentials, > final HttpRequest request, > final HttpContext context) throws AuthenticationException { > Args.notNull(credentials, "Credentials"); > Args.notNull(request, "HTTP request"); > final StringBuilder tmp = new StringBuilder(); > tmp.append(credentials.getUserPrincipal().getName()); > tmp.append(":"); > tmp.append((credentials.getPassword() == null) ? "null" : credentials.getPassword()); > final byte[] base64password = Base64.decode( > EncodingUtils.getBytes(tmp.toString(), getCredentialsCharset(request)), > Base64.NO_WRAP); > {code} > It is quite obvious that decoding a plaintext string "username:password" as Base64 will not work. The bug was introduced in revision {{1.616.447}}. > This is the original code from HC > {code:java} > final byte[] base64password = base64codec.encode( > EncodingUtils.getBytes(tmp.toString(), getCredentialsCharset(request))); > {code} > Please fix asap. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org