Hi to all,
as I understood RFC2617 for basic authorization it is assumed that username and password are seperated with a colon ":".
When a user enters an additional colon in username and/or password Hunchentoot (1.2.7) fails with an error:
[2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar" "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER HUNCHENTOOT::PASSWORD).
The code in question is in the function AUTHORIZATION in request.lisp:
-- (destructuring-bind (&optional user password) (split ":" (base64:base64-string-to-string (subseq authorization start))) --
I would prefer if Hunchentoot could handle this case silently without signalling an error. What do you think?
Kind regards, Daniel
Daniel,
this obviously is a bug. I'll gladly review a patch, but if you don't have a good idea for a fix, please open a github issue ( https://github.com/edicl/hunchentoot/issues/new).
Thanks, Hans
On Tue, Apr 30, 2013 at 9:47 AM, Daniel Brunner daniel@dbrunner.de wrote:
Hi to all,
as I understood RFC2617 for basic authorization it is assumed that username and password are seperated with a colon ":".
When a user enters an additional colon in username and/or password Hunchentoot (1.2.7) fails with an error:
[2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar" "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER HUNCHENTOOT::PASSWORD).
The code in question is in the function AUTHORIZATION in request.lisp:
-- (destructuring-bind (&optional user password) (split ":" (base64:base64-string-to-string (subseq authorization start))) --
I would prefer if Hunchentoot could handle this case silently without signalling an error. What do you think?
Kind regards, Daniel
I think the correct way to deal with this is to use PPCRE:SPLIT with :LIMIT 2. My understanding of RFC2617 is that the user name must not contain a colon while the password might contain colons.
Edi.
On Tue, Apr 30, 2013 at 9:59 AM, Hans Hübner hans.huebner@gmail.com wrote:
Daniel,
this obviously is a bug. I'll gladly review a patch, but if you don't have a good idea for a fix, please open a github issue (https://github.com/edicl/hunchentoot/issues/new).
Thanks, Hans
On Tue, Apr 30, 2013 at 9:47 AM, Daniel Brunner daniel@dbrunner.de wrote:
Hi to all,
as I understood RFC2617 for basic authorization it is assumed that username and password are seperated with a colon ":".
When a user enters an additional colon in username and/or password Hunchentoot (1.2.7) fails with an error:
[2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar" "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER HUNCHENTOOT::PASSWORD).
The code in question is in the function AUTHORIZATION in request.lisp:
-- (destructuring-bind (&optional user password) (split ":" (base64:base64-string-to-string (subseq authorization start))) --
I would prefer if Hunchentoot could handle this case silently without signalling an error. What do you think?
Kind regards, Daniel
On Tue, Apr 30, 2013 at 10:20 AM, Edi Weitz edi@agharta.de wrote:
I think the correct way to deal with this is to use PPCRE:SPLIT with :LIMIT 2. My understanding of RFC2617 is that the user name must not contain a colon while the password might contain colons.
I agree with this and committed the trivial fix ( https://github.com/edicl/hunchentoot/commit/c7c921fa7fb673ade189db414be5165a...). Please let me know if it solves the problem properly.
Thanks, Hans
Hi Hans,
yes, that solves the problem.
Greetings, Daniel
Am 30.04.2013 10:37, schrieb Hans Hübner:
On Tue, Apr 30, 2013 at 10:20 AM, Edi Weitz <edi@agharta.de mailto:edi@agharta.de> wrote:
I think the correct way to deal with this is to use PPCRE:SPLIT with :LIMIT 2. My understanding of RFC2617 is that the user name must not contain a colon while the password might contain colons.I agree with this and committed the trivial fix (https://github.com/edicl/hunchentoot/commit/c7c921fa7fb673ade189db414be5165a...). Please let me know if it solves the problem properly.
Thanks, Hans
-
Daniel Brunner -
Edi Weitz -
Hans Hübner