httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@avron.ICS.UCI.EDU>
Subject Re: WWW Form Bug Report: "Auth Basic Passwords cannot start with a ':'" on Linux (fwd)
Date Thu, 02 May 1996 08:10:40 GMT
> Make sense.  I also had the problem, but I just made the password a legal one.
> Is ':' a legal character? 

Yes, the BNF is

   userid-password = [ token ] ":" *TEXT

which means the userid is restricted to token characters (which excludes ":")
and that the password can be anything.  Actually, I should have split
that definition to make it clear where the userid ends and the password
begins, but that is restated in the text (and nobody has complained about it).

In other words, it's a bug in Apache 1.0.x.

>> get_basic_auth_pw() calls getword() to get the
>> user-supplied authentication password.  getword(),
>> after finding the 'stop' character, skips past
>> multiple 'stop' characters until it find a
>> non-stop character.  This causes passwords that
>> start with colons to have the colons stripped off
>> (and the user authentication fails).

.....Roy

Mime
View raw message