No announcement yet.

Basic authentication (CalDav/CardDav): Trailing spaces in passwords removed?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Basic authentication (CalDav/CardDav): Trailing spaces in passwords removed?


    While trying to debug some rejected logins from our users, I think I've found a bug in how passwords are processed for basic authentication: passwords ending with a simple space are rejected from Basic Authentication (for e.g. CalDav or CardDav).
    I think I have traced it down to :
    public static Credentials decode(final String auth) throws UnsupportedCharsetException {
        final byte[] decoded = Base64.decode(auth.substring(BASIC_AUTH.length() + 1));
        String userpass = new String(decoded,;
        if (userpass.indexOf(UNKNOWN) >= 0) {
            userpass = new String(decoded,;
    It's clear that after being base64-decoded and decoded from a charset point of view, the resulting `${user}:${password}` is trimmed.
    As a result, trailing spaces in a password (or leading spaces in a username if that's even supported) are removed.
    I tried to trace the execution around, to see if the username and password were supposed to be encoded to protect this trailing space, but I didn't find anything.

    Why is there a trim here? There seems to be no mention of trailing space or new line in RFC7617

    Thanks in advance!

  • #2
    Hi and thanks for the report.

    I have to admit that I never tried a password with trailing space myself so can you confirm that such a passwords work for normal web logins and so on and just fail for DAV?


    • #3
      Hi again,
      This will land in 7.10.5 which should be out somewhen early February


      • #4
        Sorry for the late update.
        Yes, normal web logins work (at least in our setup, with an IMAP & LDAP backend).
        Thanks for the fix!