I think the correct way to deal with this is to use PPCRE:SPLIT with :LIMIT 2. My understanding of RFC2617 is that the user name must not contain a colon while the password might contain colons.
Edi.
On Tue, Apr 30, 2013 at 9:59 AM, Hans Hübner hans.huebner@gmail.com wrote:
Daniel,
this obviously is a bug. I'll gladly review a patch, but if you don't have a good idea for a fix, please open a github issue (https://github.com/edicl/hunchentoot/issues/new).
Thanks, Hans
On Tue, Apr 30, 2013 at 9:47 AM, Daniel Brunner daniel@dbrunner.de wrote:
Hi to all,
as I understood RFC2617 for basic authorization it is assumed that username and password are seperated with a colon ":".
When a user enters an additional colon in username and/or password Hunchentoot (1.2.7) fails with an error:
[2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar" "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER HUNCHENTOOT::PASSWORD).
The code in question is in the function AUTHORIZATION in request.lisp:
-- (destructuring-bind (&optional user password) (split ":" (base64:base64-string-to-string (subseq authorization start))) --
I would prefer if Hunchentoot could handle this case silently without signalling an error. What do you think?
Kind regards, Daniel