Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check that Basic authentication user doesn't contain control characters #478

Open
avtobiff opened this issue Nov 8, 2023 · 1 comment
Open

Check that Basic authentication user doesn't contain control characters #478

avtobiff opened this issue Nov 8, 2023 · 1 comment
Assignees
@vinoski

Comments

@avtobiff
Copy link
Collaborator

avtobiff commented Nov 8, 2023

The user-id part of the basic authentication header value should
not contain control characters. This should be validated and
handled accordingly.

RFC 7617 The 'Basic' HTTP Authentication Scheme
Section 2. The 'Basic' Authentication Scheme states [0]

   The user-id and password MUST NOT contain any control characters (see
   "CTL" in Appendix B.1 of [RFC5234]).

RFC 5234Augmented BNF for Syntax Specifications: ABNF
Appendix B.1. Core Rules states

         CTL            =  %x00-1F / %x7F
                                ; controls

[0] https://datatracker.ietf.org/doc/html/rfc7617#section-2
[1] https://datatracker.ietf.org/doc/html/rfc5234#appendix-B.1
@vinoski vinoski self-assigned this Nov 12, 2023
@vinoski
Copy link
Collaborator

vinoski commented Nov 12, 2023

Thanks for opening this. I noticed this same problem when I was looking at #477 and will work on a fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vinoski vinoski

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@avtobiff @vinoski