From daniel at dbrunner.de Tue Apr 30 07:47:52 2013 From: daniel at dbrunner.de (Daniel Brunner) Date: Tue, 30 Apr 2013 09:47:52 +0200 Subject: Basic authorization and colon in user, password Message-ID: <517F7728.8060809@dbrunner.de> Hi to all, as I understood RFC2617 for basic authorization it is assumed that username and password are seperated with a colon ":". When a user enters an additional colon in username and/or password Hunchentoot (1.2.7) fails with an error: [2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar" "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER HUNCHENTOOT::PASSWORD). The code in question is in the function AUTHORIZATION in request.lisp: -- (destructuring-bind (&optional user password) (split ":" (base64:base64-string-to-string (subseq authorization start))) -- I would prefer if Hunchentoot could handle this case silently without signalling an error. What do you think? Kind regards, Daniel From edi at agharta.de Tue Apr 30 08:20:13 2013 From: edi at agharta.de (Edi Weitz) Date: Tue, 30 Apr 2013 10:20:13 +0200 Subject: Basic authorization and colon in user, password In-Reply-To: References: <517F7728.8060809@dbrunner.de> Message-ID: I think the correct way to deal with this is to use PPCRE:SPLIT with :LIMIT 2. My understanding of RFC2617 is that the user name must not contain a colon while the password might contain colons. Edi. On Tue, Apr 30, 2013 at 9:59 AM, Hans H?bner wrote: > Daniel, > > this obviously is a bug. I'll gladly review a patch, but if you don't have > a good idea for a fix, please open a github issue > (https://github.com/edicl/hunchentoot/issues/new). > > Thanks, > Hans > > > On Tue, Apr 30, 2013 at 9:47 AM, Daniel Brunner wrote: >> >> Hi to all, >> >> as I understood RFC2617 for basic authorization it is assumed that >> username and password are seperated with a colon ":". >> >> When a user enters an additional colon in username and/or password >> Hunchentoot (1.2.7) fails with an error: >> >> [2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar" >> "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER >> HUNCHENTOOT::PASSWORD). >> >> The code in question is in the function AUTHORIZATION in request.lisp: >> >> -- >> (destructuring-bind (&optional user password) >> (split ":" (base64:base64-string-to-string (subseq >> authorization start))) >> -- >> >> I would prefer if Hunchentoot could handle this case silently without >> signalling an error. What do you think? >> >> Kind regards, >> Daniel >> > From daniel at dbrunner.de Tue Apr 30 09:32:24 2013 From: daniel at dbrunner.de (Daniel Brunner) Date: Tue, 30 Apr 2013 11:32:24 +0200 Subject: Basic authorization and colon in user, password In-Reply-To: References: <517F7728.8060809@dbrunner.de>

Message-ID: <517F8FA8.2010608@dbrunner.de> Hi Hans, yes, that solves the problem. Greetings, Daniel Am 30.04.2013 10:37, schrieb Hans H?bner: > On Tue, Apr 30, 2013 at 10:20 AM, Edi Weitz > wrote: > > I think the correct way to deal with this is to use PPCRE:SPLIT with > :LIMIT 2. My understanding of RFC2617 is that the user name must not > contain a colon while the password might contain colons. > > > I agree with this and committed the trivial fix > (https://github.com/edicl/hunchentoot/commit/c7c921fa7fb673ade189db414be5165a8e094478). > Please let me know if it solves the problem properly. > > Thanks, > Hans > From hans.huebner at gmail.com Tue Apr 30 07:59:24 2013 From: hans.huebner at gmail.com (=?ISO-8859-1?Q?Hans_H=FCbner?=) Date: Tue, 30 Apr 2013 09:59:24 +0200 Subject: Basic authorization and colon in user, password In-Reply-To: <517F7728.8060809@dbrunner.de> References: <517F7728.8060809@dbrunner.de> Message-ID: Daniel, this obviously is a bug. I'll gladly review a patch, but if you don't have a good idea for a fix, please open a github issue ( https://github.com/edicl/hunchentoot/issues/new). Thanks, Hans On Tue, Apr 30, 2013 at 9:47 AM, Daniel Brunner wrote: > Hi to all, > > as I understood RFC2617 for basic authorization it is assumed that > username and password are seperated with a colon ":". > > When a user enters an additional colon in username and/or password > Hunchentoot (1.2.7) fails with an error: > > [2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar" > "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER > HUNCHENTOOT::PASSWORD). > > The code in question is in the function AUTHORIZATION in request.lisp: > > -- > (destructuring-bind (&optional user password) > (split ":" (base64:base64-string-to-string (subseq > authorization start))) > -- > > I would prefer if Hunchentoot could handle this case silently without > signalling an error. What do you think? > > Kind regards, > Daniel > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hans.huebner at gmail.com Tue Apr 30 08:37:36 2013 From: hans.huebner at gmail.com (=?ISO-8859-1?Q?Hans_H=FCbner?=) Date: Tue, 30 Apr 2013 10:37:36 +0200 Subject: Basic authorization and colon in user, password In-Reply-To: References: <517F7728.8060809@dbrunner.de>

Message-ID: On Tue, Apr 30, 2013 at 10:20 AM, Edi Weitz wrote: > I think the correct way to deal with this is to use PPCRE:SPLIT with > :LIMIT 2. My understanding of RFC2617 is that the user name must not > contain a colon while the password might contain colons. > I agree with this and committed the trivial fix ( https://github.com/edicl/hunchentoot/commit/c7c921fa7fb673ade189db414be5165a8e094478). Please let me know if it solves the problem properly. Thanks, Hans -------------- next part -------------- An HTML attachment was scrubbed... URL: