httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: WWW Form Bug Report: "Basic Auth passwords strip leading colon" on Linux (fwd)
Date Sun, 23 Jun 1996 17:17:19 GMT
Roy T. Fielding wrote:
> 
> >> No ack.  I don't see the bug though.
> > 
> > The bug is that getword, when presented with "abc::def" will skip both colons,
> > resulting in a password of "def". If getword_nulls is used instead, the
> > password is ":def". I guess he's probably right, but perhaps the client is
> > broken. Or the spec. Hmmm, wonder what 1.1 says.
> 
> The server is broken -- the patch (reversed) will fix it, I think.
> The spec says
> 
>        basic-credentials = "Basic" SP basic-cookie
>  
>        basic-cookie   = <base64 [7] encoding of user-pass,
>                         except not limited to 76 char/line>
>  
>        user-pass   = userid ":" password
>  
>        userid      = *<TEXT excluding ":">
>  
>        password    = *TEXT
> 
> but note that his patch is reversed.

I had noted that but I forgot to mention it ;-)

Anyway, I'm commiting a patch...

Cheers,

Ben.

> 
> .....Roy
> 
> >> > *** http_protocol.c     Fri Jun 21 19:36:41 1996
> >> > --- http_protocol.c-dist        Mon Jun 17 16:55:25 1996
> >> > ***************
> >> > *** 582,588 ****
> >> >       }
> >> >
> >> >       t = uudecode (r->pool, auth_line);
> >> > !     r->connection->user = getword_nulls (r->pool, &t, ':');
> >> >       r->connection->auth_type = "Basic";
> >> >
> >> >       *pw = t;
> >> > --- 582,588 ----
> >> >       }
> >> >
> >> >       t = uudecode (r->pool, auth_line);
> >> > !     r->connection->user = getword (r->pool, &t, ':');
> >> >       r->connection->auth_type = "Basic";
> >> >
> >> >       *pw = t;
> >> >
> 

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.

Mime
View raw message