httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aram Mirzadeh <>
Subject Re: WWW Form Bug Report: "Auth Basic Passwords cannot start with a ':'" on Linux (fwd)
Date Thu, 02 May 1996 13:19:21 GMT
At 01:10 AM 5/2/96 -0700, you wrote:
>> Make sense.  I also had the problem, but I just made the password a legal
>> Is ':' a legal character? 
>Yes, the BNF is
>   userid-password = [ token ] ":" *TEXT
>which means the userid is restricted to token characters (which excludes ":")
>and that the password can be anything.  Actually, I should have split
>that definition to make it clear where the userid ends and the password
>begins, but that is restated in the text (and nobody has complained about it).
>In other words, it's a bug in Apache 1.0.x.

Okay, I'll tell him to upgrade.  Is it a simple patch to 1.0.x to fix this?  
Maybe we should make it available. 

>>> get_basic_auth_pw() calls getword() to get the
>>> user-supplied authentication password.  getword(),
>>> after finding the 'stop' character, skips past
>>> multiple 'stop' characters until it find a
>>> non-stop character.  This causes passwords that
>>> start with colons to have the colons stripped off
>>> (and the user authentication fails).
Aram W. Mirzadeh, MIS Manager, Qosina Corporation,
Apache httpd server team

View raw message