curl 7.30.0 (x86_64-pc-linux-gnu) libcurl/7.30.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.25 libssh2/1.4.2 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
According to RFC2617, the Authorization header is supposed to be a quoted-string. According to RFC2616 and its errata, a quoted-string is a string enclosed between two double quote characters, and all double quote characters and backslash charaters within it are preceeded by a backslash.
cURL does not escape, as can be seen when passing a username containing " and \ with Digest Authentication.
I see it sending the following to my server in a test:
Authorization: Digest username="Nach = " \ -", realm="Test", nonce="JlGjUQAAAAByWa0wBPwJElZJ7HJq1GSwRDkLcgxigS2q6IEPrdlLXGXCKtrvx4cN", uri="/digest/", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICA2MTE5NTA=", nc=00000001, qop=auth, response="629c3aa78e84563dfeaafdd836fa708b", algorithm="MD5-sess"
Clearly that username field is wrong, and should be: username="Nach = \" \ -"
User-agents which properly escape:
User-agents which do not properly escape:
I didn't test beyond these.
It looks like SourceForge's bug editor is screwing with the slashes, so I'm copying this report elsewhere, so it can be viewed correctly: http://paste.nachsoftware.com/Nach/XvtgYe5a2911e72d11f69358651a3578a86df6pP