Menu
▾
▴
#1230 Authorization header does not employ escaping
curl 7.30.0 (x86_64-pc-linux-gnu) libcurl/7.30.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.25 libssh2/1.4.2 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
According to RFC2617, the Authorization header is supposed to be a quoted-string. According to RFC2616 and its errata, a quoted-string is a string enclosed between two double quote characters, and all double quote characters and backslash charaters within it are preceeded by a backslash.
cURL does not escape, as can be seen when passing a username containing " and \ with Digest Authentication.
I see it sending the following to my server in a test:
Authorization: Digest username="Nach = " \ -", realm="Test", nonce="JlGjUQAAAAByWa0wBPwJElZJ7HJq1GSwRDkLcgxigS2q6IEPrdlLXGXCKtrvx4cN", uri="/digest/", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICA2MTE5NTA=", nc=00000001, qop=auth, response="629c3aa78e84563dfeaafdd836fa708b", algorithm="MD5-sess"
Clearly that username field is wrong, and should be: username="Nach = \" \ -"
User-agents which properly escape:
Firefox
Chrome
User-agents which do not properly escape:
cURL
Opera
I didn't test beyond these.
Edit:
It looks like SourceForge's bug editor is screwing with the slashes, so I'm copying this report elsewhere, so it can be viewed correctly: http://paste.nachsoftware.com/Nach/XvtgYe5a2911e72d11f69358651a3578a86df6pP
Discussion
Thanks for your report. I can confirm that this is indeed still a problem in the current code base.
Are you up to providing a patch for this?
Yes, I should be able to patch it.
Okay, I think this patch should do the trick. Let me know if it's okay.
Thanks a lot. I edited the patch slightly, and merged it as commit ac419bf562c419. I also added a new test case (1229) to verify it with. Case closed!