Basic authorization and colon in user, password
Edi Weitz
edi at agharta.de
Tue Apr 30 08:20:13 UTC 2013
I think the correct way to deal with this is to use PPCRE:SPLIT with
:LIMIT 2. My understanding of RFC2617 is that the user name must not
contain a colon while the password might contain colons.
Edi.
On Tue, Apr 30, 2013 at 9:59 AM, Hans Hübner <hans.huebner at gmail.com> wrote:
> Daniel,
>
> this obviously is a bug. I'll gladly review a patch, but if you don't have
> a good idea for a fix, please open a github issue
> (https://github.com/edicl/hunchentoot/issues/new).
>
> Thanks,
> Hans
>
>
> On Tue, Apr 30, 2013 at 9:47 AM, Daniel Brunner <daniel at dbrunner.de> wrote:
>>
>> Hi to all,
>>
>> as I understood RFC2617 for basic authorization it is assumed that
>> username and password are seperated with a colon ":".
>>
>> When a user enters an additional colon in username and/or password
>> Hunchentoot (1.2.7) fails with an error:
>>
>> [2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar"
>> "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER
>> HUNCHENTOOT::PASSWORD).
>>
>> The code in question is in the function AUTHORIZATION in request.lisp:
>>
>> --
>> (destructuring-bind (&optional user password)
>> (split ":" (base64:base64-string-to-string (subseq
>> authorization start)))
>> --
>>
>> I would prefer if Hunchentoot could handle this case silently without
>> signalling an error. What do you think?
>>
>> Kind regards,
>> Daniel
>>
>
More information about the Tbnl-devel
mailing list