#1230 Authorization header does not employ escaping

Nach M. S.

curl 7.30.0 (x86_64-pc-linux-gnu) libcurl/7.30.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.25 libssh2/1.4.2 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

According to RFC2617, the Authorization header is supposed to be a quoted-string. According to RFC2616 and its errata, a quoted-string is a string enclosed between two double quote characters, and all double quote characters and backslash charaters within it are preceeded by a backslash.

cURL does not escape, as can be seen when passing a username containing " and \ with Digest Authentication.

I see it sending the following to my server in a test:
Authorization: Digest username="Nach = " \ -", realm="Test", nonce="JlGjUQAAAAByWa0wBPwJElZJ7HJq1GSwRDkLcgxigS2q6IEPrdlLXGXCKtrvx4cN", uri="/digest/", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICA2MTE5NTA=", nc=00000001, qop=auth, response="629c3aa78e84563dfeaafdd836fa708b", algorithm="MD5-sess"

Clearly that username field is wrong, and should be: username="Nach = \" \ -"

User-agents which properly escape:

User-agents which do not properly escape:

I didn't test beyond these.

It looks like SourceForge's bug editor is screwing with the slashes, so I'm copying this report elsewhere, so it can be viewed correctly: http://paste.nachsoftware.com/Nach/XvtgYe5a2911e72d11f69358651a3578a86df6pP


  • Daniel Stenberg

    Daniel Stenberg - 2013-05-27
    • status: open --> open-confirmed
    • assigned_to: Daniel Stenberg
    • Priority: 5 --> 4
  • Daniel Stenberg

    Daniel Stenberg - 2013-05-27

    Thanks for your report. I can confirm that this is indeed still a problem in the current code base.

    Are you up to providing a patch for this?

  • Nach M. S.

    Nach M. S. - 2013-05-27

    Yes, I should be able to patch it.

  • Nach M. S.

    Nach M. S. - 2013-05-27

    Okay, I think this patch should do the trick. Let me know if it's okay.

  • Daniel Stenberg

    Daniel Stenberg - 2013-05-27
    • status: open-confirmed --> closed-fixed
  • Daniel Stenberg

    Daniel Stenberg - 2013-05-27

    Thanks a lot. I edited the patch slightly, and merged it as commit ac419bf562c419. I also added a new test case (1229) to verify it with. Case closed!


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks