[hunchentoot-devel] Encoding issues in auhtorization header
Christian Haselbach
ch at mr-co.de
Mon May 12 09:48:14 UTC 2008
Hello,
I just stumbled upon an encoding problem with the authorization header.
It cannot really handle UTF-8 encoded user names (or passwords), because
base64:base64-string-to-string does not respect the used encoding.
In my local instance, I fixed this by changing hunchentoot's
authorization function as follows:
(defun authorization (&optional (request *request*))
"Returns as two values the user and password \(if any) as encoded in
the 'AUTHORIZATION' header. Returns NIL if there is no such header."
(let* ((authorization (header-in :authorization request))
(start (and authorization
(> (length authorization) 5)
(string-equal "Basic" authorization :end2 5)
(scan "\\S" authorization :start 5))))
(when start
(let* ((auth-octets (base64:base64-string-to-usb8-array
(subseq authorization start)))
(auth (octets-to-string auth-octets
:external-format
*hunchentoot-default-external-format*)))
(destructuring-bind (&optional user password)
(split ":" auth)
(values user password))))))
Or as patch:
286,288c286,293
< (destructuring-bind (&optional user password)
< (split ":" (base64:base64-string-to-string (subseq
authorization start)))
< (values user password)))))
---
> (let* ((auth-octets (base64:base64-string-to-usb8-array
> (subseq authorization start)))
> (auth (octets-to-string auth-octets
> :external-format
>
*hunchentoot-default-external-format*)))
> (destructuring-bind (&optional user password)
> (split ":" auth)
> (values user password))))))
Regards,
Christian
More information about the Tbnl-devel
mailing list