Tweet
Basic authentication (CalDav/CardDav): Trailing spaces in passwords removed?
Hi,
While trying to debug some rejected logins from our users, I think I've found a bug in how passwords are processed for basic authentication: passwords ending with a simple space are rejected from Basic Authentication (for e.g. CalDav or CardDav).
I think I have traced it down to https://github.com/open-xchange/apps...java#L206-L211 :
It's clear that after being base64-decoded and decoded from a charset point of view, the resulting `${user}:${password}` is trimmed.
As a result, trailing spaces in a password (or leading spaces in a username if that's even supported) are removed.
I tried to trace the execution around, to see if the username and password were supposed to be encoded to protect this trailing space, but I didn't find anything.
Why is there a trim here? There seems to be no mention of trailing space or new line in RFC7617
Thanks in advance!
While trying to debug some rejected logins from our users, I think I've found a bug in how passwords are processed for basic authentication: passwords ending with a simple space are rejected from Basic Authentication (for e.g. CalDav or CardDav).
I think I have traced it down to https://github.com/open-xchange/apps...java#L206-L211 :
Code:
public static Credentials decode(final String auth) throws UnsupportedCharsetException {
final byte[] decoded = Base64.decode(auth.substring(BASIC_AUTH.length() + 1));
String userpass = new String(decoded, com.openexchange.java.Charsets.UTF_8).trim();
if (userpass.indexOf(UNKNOWN) >= 0) {
userpass = new String(decoded, com.openexchange.java.Charsets.ISO_8859_1).trim();
}
As a result, trailing spaces in a password (or leading spaces in a username if that's even supported) are removed.
I tried to trace the execution around, to see if the username and password were supposed to be encoded to protect this trailing space, but I didn't find anything.
Why is there a trim here? There seems to be no mention of trailing space or new line in RFC7617
Thanks in advance!
Comment