Hi to all, as I understood RFC2617 for basic authorization it is assumed that username and password are seperated with a colon ":". When a user enters an additional colon in username and/or password Hunchentoot (1.2.7) fails with an error: [2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar" "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER HUNCHENTOOT::PASSWORD). The code in question is in the function AUTHORIZATION in request.lisp: -- (destructuring-bind (&optional user password) (split ":" (base64:base64-string-to-string (subseq authorization start))) -- I would prefer if Hunchentoot could handle this case silently without signalling an error. What do you think? Kind regards, Daniel
Daniel, this obviously is a bug. I'll gladly review a patch, but if you don't have a good idea for a fix, please open a github issue ( https://github.com/edicl/hunchentoot/issues/new). Thanks, Hans On Tue, Apr 30, 2013 at 9:47 AM, Daniel Brunner <daniel@dbrunner.de> wrote:
Hi to all,
as I understood RFC2617 for basic authorization it is assumed that username and password are seperated with a colon ":".
When a user enters an additional colon in username and/or password Hunchentoot (1.2.7) fails with an error:
[2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar" "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER HUNCHENTOOT::PASSWORD).
The code in question is in the function AUTHORIZATION in request.lisp:
-- (destructuring-bind (&optional user password) (split ":" (base64:base64-string-to-string (subseq authorization start))) --
I would prefer if Hunchentoot could handle this case silently without signalling an error. What do you think?
Kind regards, Daniel
I think the correct way to deal with this is to use PPCRE:SPLIT with :LIMIT 2. My understanding of RFC2617 is that the user name must not contain a colon while the password might contain colons. Edi. On Tue, Apr 30, 2013 at 9:59 AM, Hans Hübner <hans.huebner@gmail.com> wrote:
Daniel,
this obviously is a bug. I'll gladly review a patch, but if you don't have a good idea for a fix, please open a github issue (https://github.com/edicl/hunchentoot/issues/new).
Thanks, Hans
On Tue, Apr 30, 2013 at 9:47 AM, Daniel Brunner <daniel@dbrunner.de> wrote:
Hi to all,
as I understood RFC2617 for basic authorization it is assumed that username and password are seperated with a colon ":".
When a user enters an additional colon in username and/or password Hunchentoot (1.2.7) fails with an error:
[2013-04-30 09:34:34 [ERROR]] Extra arguments in ("foo" "bar" "blafasel") don't match lambda list (&OPTIONAL HUNCHENTOOT::USER HUNCHENTOOT::PASSWORD).
The code in question is in the function AUTHORIZATION in request.lisp:
-- (destructuring-bind (&optional user password) (split ":" (base64:base64-string-to-string (subseq authorization start))) --
I would prefer if Hunchentoot could handle this case silently without signalling an error. What do you think?
Kind regards, Daniel
On Tue, Apr 30, 2013 at 10:20 AM, Edi Weitz <edi@agharta.de> wrote:
I think the correct way to deal with this is to use PPCRE:SPLIT with :LIMIT 2. My understanding of RFC2617 is that the user name must not contain a colon while the password might contain colons.
I agree with this and committed the trivial fix ( https://github.com/edicl/hunchentoot/commit/c7c921fa7fb673ade189db414be5165a...). Please let me know if it solves the problem properly. Thanks, Hans
Hi Hans, yes, that solves the problem. Greetings, Daniel Am 30.04.2013 10:37, schrieb Hans Hübner:
On Tue, Apr 30, 2013 at 10:20 AM, Edi Weitz <edi@agharta.de <mailto:edi@agharta.de>> wrote:
I think the correct way to deal with this is to use PPCRE:SPLIT with :LIMIT 2. My understanding of RFC2617 is that the user name must not contain a colon while the password might contain colons.
I agree with this and committed the trivial fix (https://github.com/edicl/hunchentoot/commit/c7c921fa7fb673ade189db414be5165a...). Please let me know if it solves the problem properly.
Thanks, Hans
participants (3)
-
Daniel Brunner -
Edi Weitz -
Hans Hübner