httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rasmus Lerdorf <>
Subject Re: Strange auth bug
Date Wed, 11 Nov 1998 08:40:41 GMT
> Strange. When I pass this to a RFC2045 compliant base64 encode/decode function
> I get:
> | :> ./base64 encode 'tätär'
> | dOR05HI=
> | rse@en1:/e/apache/SSL/trail
> | :>
> | :> ./base64 decode 'dOR05HI='
> | tätär
> | rse@en1:/e/apache/SSL/trail
> | :>
> which looks more correct to me. So, are both Netscape and IE broken?
> Hmmm... confusing.

No, you forgot about the password.  I was setting the username to "tätär"
*and* the password to "blah".

If I use a blank password and just set the username to tätär IE5 sends an
Authorization header of:

 Basic dOR05HI6

And Netscape sends:

 Basic dOR0 

I tcpdumped the connection as well to eliminate the possibility that
Netscape might be sending an embedded \0 (which would still be a bug) and
it really only sends the above.  There is nothing else on the wire.

Testing a bunch of them:

täten              täten             (ok)
töten              töten             (ok)
tüten              tüten             (ok)
tätär              tät               (error)
tütür              tüt               (error)
tötör              töt               (error)
tätärä             tät               (error)
tütürü             tüt               (error)
tötörö             töt               (error)
daß                daß               (ok)
ßad                '' (emtpy string) (error)
TÜR                TÜR               (ok)
TÜRÜ               TÜR               (error)
österreich         '' (empty string) (error)
äste               '' (empty string) (error)
üst                '' (empty string) (error)
Tabalugä           Tabalugä          (ok)
Taß_Kaffä          Taß_Kaffä         (ok)
Taßtä              Taßtä             (ok)
Taßä               Taß               (error)
röstän             röstän            (ok)
reloümä            reloüm            (error)
børge              børge             (ok)
øl                 '' (empty string) (error)

Ok, so the pattern emerges.  More than 1 8-bit char in the string, or if
the first char of the string is an 8-bit char and Netscape's encoding
algorithm gets hopelessly confused.

You'd think all sorts of Scandinavians and Germans would have screamed
about this before though.


View raw message