BASIC strategy does not support passwords that contain colons #20
Comments
This was referenced Jan 21, 2014
|
To work around this issue, I’m using |
|
We've this issue, too. Is there a plan to fix this issue? The provided PR doesn't look that bad (I left a comment, though). So probably we've the chance to fix this (already very old) issue? :) |
FlorianSW
added a commit
to FlorianSW/passport-http
that referenced
this issue
Jul 6, 2017
A colon is a valid character in the password, however currently the chars including and after the colon are stripped of the password which leads in false-positives (user can't login even if the password is correct). This commit fixes that. Fixes jaredhanson#20
|
Any reason that this hasn't been merged/closed yet? This issue is now 4 years old 😮 |
5 tasks
MatthiasKunnen
added a commit
to MatthiasKunnen/passport-http-2
that referenced
this issue
Dec 20, 2018
Previous implementation: empty user-pass -> error basic realm no " " separator -> error 400 no : separator -> error basic realm empty password -> error basic realm empty username -> error basic realm New implementation: empty user-pass -> error 400 no " " separator -> error 400 no : separator -> error 400 empty password -> success empty username -> success Also fixed passwords containing ':' being truncated. This fixes: - jaredhanson/passport-http#20 - jaredhanson/passport-http#41 - jaredhanson/passport-http#42 - jaredhanson/passport-http#63 - jaredhanson/passport-http#78 The new implemementation complies with https://tools.ietf.org/html/rfc2617#section-2.
MatthiasKunnen
added a commit
to MatthiasKunnen/passport-http-2
that referenced
this issue
Dec 20, 2018
Previous implementation: empty user-pass -> error basic realm no " " separator -> error 400 no : separator -> error basic realm empty password -> error basic realm empty username -> error basic realm New implementation: empty user-pass -> error 400 no " " separator -> error 400 no : separator -> error 400 empty password -> success empty username -> success Also fixed passwords containing ':' being truncated. This fixes: - jaredhanson/passport-http#20 - jaredhanson/passport-http#41 - jaredhanson/passport-http#42 - jaredhanson/passport-http#63 - jaredhanson/passport-http#78 The new implemementation complies with https://tools.ietf.org/html/rfc2617#section-2.
AaronDewes
pushed a commit
to AaronDewes/modern-passport-http
that referenced
this issue
Feb 6, 2021
This is mostly the following change: Corrected handling of HTTP Basic edge cases Previous implementation: empty user-pass -> error basic realm no " " separator -> error 400 no : separator -> error basic realm empty password -> error basic realm empty username -> error basic realm New implementation: empty user-pass -> error 400 no " " separator -> error 400 no : separator -> error 400 empty password -> success empty username -> success Also fixed passwords containing ':' being truncated. This fixes: - jaredhanson#20 - jaredhanson#41 - jaredhanson#42 - jaredhanson#63 - jaredhanson#78 The new implemementation complies with https://tools.ietf.org/html/rfc2617#section-2.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Colons are legal characters in passwords. Because of the way the BASIC strategy splits the BASIC username:password header, passwords containing a colon character fail. Per the following code from basic.js:
var scheme = parts[0]
, credentials = new Buffer(parts[1], 'base64').toString().split(':');
if (!/Basic/i.test(scheme)) { return this.fail(this._challenge()); }
if (credentials.length < 2) { return this.fail(400); }
var userid = credentials[0];
var password = credentials[1];
you can see that a split(':') on "myusername:my:password" will result in 3 parts instead of the expected 2. Better to use something like:
.split(':').slice(1).join(':')
or a regexp to get the password. Not sure that I can work up a patch before the new year, but reporting the issue now.
The text was updated successfully, but these errors were encountered: