[*DAV] Basic auth passwords are neither parsed as ISO-8859-1 nor is RFC 7617 "charset" header sent

[rfc2822]

Nextcloud 10.0

Steps to reproduce

1. Create a user account with user name "test" and password "testö"
2. Access /remote.php/dav with Authentication: <base64 test:testö in UTF-8> → works
3. Access /remote.php/dav with Authentication: <base64 test:testö in ISO-8859-1> → doesn't work

Expected behaviour

There's discussion out there whether Basic auth as defined in RFC 2617 expects passwords in ASCII, ISO-8859-1, UTF-8 or RFC 2047-encoded. However, RFC 2617 seems to be quite clear:

      password    = *TEXT

where

Words of *TEXT MAY contain characters from character sets other than ISO-8859-1 [22] only when encoded according to the rules of RFC 2047 [14].

So, the credentials string should be expected as ISO-8859-1. This is, for instance, how okhttp handles it.

It should be noted that

• some other clients (like curl) send passwords as UTF-8, which seems to be incorrect, and
• another (the best?) possibility would be to implement RFC 7617 (i.e. send charset=UTF-8 in the WWW-Authenticate header).

Actual behaviour

Basic authentication by clients that send non-ASCII passwords as ISO-8859-1 fails.

[LukasReschke]

another (the best?) possibility would be to implement RFC 7617 (i.e. send charset=UTF-8 in the WWW-Authenticate header).

👍

[szaimen]

I suppose this issue is still valid?

[haneefFathani]

Dears

Is there any solution for this issue ? I am having a security roadblocker for this point