Passwords containing ':' are not read properly #41
Comments
|
So... over a year and nobody else seems to care about this? This is tripping us up. Can we please merge the PR? #42 |
|
For anybody else who needs to fix this now, just URL encode your password on the client and then decode it on the server. Maybe we should suggest that in the docs? |
|
go and merge! |
|
Please merge #42 - this is a blocker for us, thanks! |
MatthiasKunnen
added a commit
to MatthiasKunnen/passport-http-2
that referenced
this issue
Dec 20, 2018
Previous implementation: empty user-pass -> error basic realm no " " separator -> error 400 no : separator -> error basic realm empty password -> error basic realm empty username -> error basic realm New implementation: empty user-pass -> error 400 no " " separator -> error 400 no : separator -> error 400 empty password -> success empty username -> success Also fixed passwords containing ':' being truncated. This fixes: - jaredhanson/passport-http#20 - jaredhanson/passport-http#41 - jaredhanson/passport-http#42 - jaredhanson/passport-http#63 - jaredhanson/passport-http#78 The new implemementation complies with https://tools.ietf.org/html/rfc2617#section-2.
MatthiasKunnen
added a commit
to MatthiasKunnen/passport-http-2
that referenced
this issue
Dec 20, 2018
Previous implementation: empty user-pass -> error basic realm no " " separator -> error 400 no : separator -> error basic realm empty password -> error basic realm empty username -> error basic realm New implementation: empty user-pass -> error 400 no " " separator -> error 400 no : separator -> error 400 empty password -> success empty username -> success Also fixed passwords containing ':' being truncated. This fixes: - jaredhanson/passport-http#20 - jaredhanson/passport-http#41 - jaredhanson/passport-http#42 - jaredhanson/passport-http#63 - jaredhanson/passport-http#78 The new implemementation complies with https://tools.ietf.org/html/rfc2617#section-2.
|
Duplicate of #20 |
AaronDewes
pushed a commit
to AaronDewes/modern-passport-http
that referenced
this issue
Feb 6, 2021
This is mostly the following change: Corrected handling of HTTP Basic edge cases Previous implementation: empty user-pass -> error basic realm no " " separator -> error 400 no : separator -> error basic realm empty password -> error basic realm empty username -> error basic realm New implementation: empty user-pass -> error 400 no " " separator -> error 400 no : separator -> error 400 empty password -> success empty username -> success Also fixed passwords containing ':' being truncated. This fixes: - jaredhanson#20 - jaredhanson#41 - jaredhanson#42 - jaredhanson#63 - jaredhanson#78 The new implemementation complies with https://tools.ietf.org/html/rfc2617#section-2.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Since userid and password are read as index 0 and 1 of credentials.split(':') the remaining part of the password after ':' is discarded.
The text was updated successfully, but these errors were encountered: