#1230 Authorization header does not employ escaping

closed-fixed
None
4
2013-06-21
2013-05-27
Nach M. S.
No

curl 7.30.0 (x86_64-pc-linux-gnu) libcurl/7.30.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.25 libssh2/1.4.2 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

According to RFC2617, the Authorization header is supposed to be a quoted-string. According to RFC2616 and its errata, a quoted-string is a string enclosed between two double quote characters, and all double quote characters and backslash charaters within it are preceeded by a backslash.

cURL does not escape, as can be seen when passing a username containing " and \ with Digest Authentication.

I see it sending the following to my server in a test:
Authorization: Digest username="Nach = " \ -", realm="Test", nonce="JlGjUQAAAAByWa0wBPwJElZJ7HJq1GSwRDkLcgxigS2q6IEPrdlLXGXCKtrvx4cN", uri="/digest/", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICA2MTE5NTA=", nc=00000001, qop=auth, response="629c3aa78e84563dfeaafdd836fa708b", algorithm="MD5-sess"

Clearly that username field is wrong, and should be: username="Nach = \" \ -"

User-agents which properly escape:
Firefox
Chrome

User-agents which do not properly escape:
cURL
Opera

I didn't test beyond these.

Edit:
It looks like SourceForge's bug editor is screwing with the slashes, so I'm copying this report elsewhere, so it can be viewed correctly: http://paste.nachsoftware.com/Nach/XvtgYe5a2911e72d11f69358651a3578a86df6pP

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2013-05-27
    • status: open --> open-confirmed
    • assigned_to: Daniel Stenberg
    • Priority: 5 --> 4
     
  • Daniel Stenberg

    Daniel Stenberg - 2013-05-27

    Thanks for your report. I can confirm that this is indeed still a problem in the current code base.

    Are you up to providing a patch for this?

     
  • Nach M. S.

    Nach M. S. - 2013-05-27

    Yes, I should be able to patch it.

     
  • Nach M. S.

    Nach M. S. - 2013-05-27

    Okay, I think this patch should do the trick. Let me know if it's okay.

     
  • Daniel Stenberg

    Daniel Stenberg - 2013-05-27
    • status: open-confirmed --> closed-fixed
     
  • Daniel Stenberg

    Daniel Stenberg - 2013-05-27

    Thanks a lot. I edited the patch slightly, and merged it as commit ac419bf562c419. I also added a new test case (1229) to verify it with. Case closed!

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks