Announcement

Collapse
No announcement yet.

Basic authentication (CalDav/CardDav): Trailing spaces in passwords removed?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vbrillau
    replied
    Hi!
    Sorry for the late update.
    Yes, normal web logins work (at least in our setup, with an IMAP & LDAP backend).
    Thanks for the fix!

    Leave a comment:


  • Wolfgang Rosenauer
    replied
    Hi again,
    https://gitlab.open-xchange.com/midd...7bd1b182379ad4
    This will land in 7.10.5 which should be out somewhen early February

    Leave a comment:


  • Wolfgang Rosenauer
    replied
    Hi and thanks for the report.

    I have to admit that I never tried a password with trailing space myself so can you confirm that such a passwords work for normal web logins and so on and just fail for DAV?

    Leave a comment:


  • Basic authentication (CalDav/CardDav): Trailing spaces in passwords removed?

    Hi,

    While trying to debug some rejected logins from our users, I think I've found a bug in how passwords are processed for basic authentication: passwords ending with a simple space are rejected from Basic Authentication (for e.g. CalDav or CardDav).
    I think I have traced it down to https://github.com/open-xchange/apps...java#L206-L211 :
    Code:
    public static Credentials decode(final String auth) throws UnsupportedCharsetException {
        final byte[] decoded = Base64.decode(auth.substring(BASIC_AUTH.length() + 1));
        String userpass = new String(decoded, com.openexchange.java.Charsets.UTF_8).trim();
        if (userpass.indexOf(UNKNOWN) >= 0) {
            userpass = new String(decoded, com.openexchange.java.Charsets.ISO_8859_1).trim();
        }
    It's clear that after being base64-decoded and decoded from a charset point of view, the resulting `${user}:${password}` is trimmed.
    As a result, trailing spaces in a password (or leading spaces in a username if that's even supported) are removed.
    I tried to trace the execution around, to see if the username and password were supposed to be encoded to protect this trailing space, but I didn't find anything.

    Why is there a trim here? There seems to be no mention of trailing space or new line in RFC7617

    Thanks in advance!
Working...
X