[hunchentoot-devel] Encoding issues in auhtorization header

Edi Weitz edi at agharta.de
Wed May 14 14:11:31 UTC 2008


On Mon, 12 May 2008 11:48:14 +0200, Christian Haselbach <ch at mr-co.de> wrote:

> I just stumbled upon an encoding problem with the authorization
> header.  It cannot really handle UTF-8 encoded user names (or
> passwords), because base64:base64-string-to-string does not respect
> the used encoding.
>
> In my local instance, I fixed this by changing hunchentoot's
> authorization function as follows:

My understanding of the standard is that what you are doing is wrong.
Basic authentication is described in RFC 2617 where it says that the
"userid" and "password" parts must be "TEXT" and "TEXT" is defined in
RFC 2616 as "any octet", /but/

  "words of *TEXT may contain characters from character sets other
   than ISO-8859-1 only when encoded according to the rules of RFC
   2047."

So, you'd have to add support for proper RFC 2047 parsing to make the
function deal with this correctly.  (And I'd say that that would
probably be worth its own library, maybe based on FLEXI-STREAMS.)

> Or as patch:

BTW, note that your email program rendered the patch unusable.

Thanks,
Edi.



More information about the Tbnl-devel mailing list