Basic authorization and colon in user, password

Hans Hübner hans.huebner at gmail.com
Tue Apr 30 07:59:24 UTC 2013


Daniel,

this obviously is a bug.  I'll gladly review a patch, but if you don't have
a good idea for a fix, please open a github issue (
https://github.com/edicl/hunchentoot/issues/new).

Thanks,
Hans


On Tue, Apr 30, 2013 at 9:47 AM, Daniel Brunner <daniel at dbrunner.de> wrote:

> Hi to all,
>
> as I understood RFC2617 for basic authorization it is assumed that
> username and password are seperated with a colon ":".
>
> When a user enters an additional colon in username and/or password
> Hunchentoot (1.2.7) fails with an error:
>
> [2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar"
> "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER
> HUNCHENTOOT::PASSWORD).
>
> The code in question is in the function AUTHORIZATION in request.lisp:
>
> --
>       (destructuring-bind (&optional user password)
>           (split ":" (base64:base64-string-to-string (subseq
> authorization start)))
> --
>
> I would prefer if Hunchentoot could handle this case silently without
> signalling an error. What do you think?
>
> Kind regards,
> Daniel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/tbnl-devel/attachments/20130430/e46b30d8/attachment.html>


More information about the Tbnl-devel mailing list