Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6962

Basic auth uses UTF-8 for the encoded password when it should use ISO-8859-1

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.18, 3.1.6
    • Fix Version/s: 3.1.10, 3.0.13, 3.2.0
    • Component/s: None
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Basic auth uses UTF-8 for the encoded password when it should use ISO-8859-1. Also (or instead), implement RFC 7617 which allows a server to indicate it does support UTF-8.

      The RFC that covers Basic authentication says that the authentication header contains base 64 encoded TEXT [1]. The TEXT format needs to be read under the HTTP specification [2] which says:

      The TEXT rule is only used for descriptive field contents and values
      that are not intended to be interpreted by the message parser. Words
      of *TEXT MAY contain characters from character sets other than ISO-
      8859-1 [22] only when encoded according to the rules of RFC 2047
      [14].

      RFC 2047 describes an encoding method that embeds the encoded string in "=?" and "?=". But it appears no implementation of HTTP is doing this. Certainly no browser is doing this.

      [1] http://tools.ietf.org/html/rfc2617#section-2

        Attachments

          Activity

            People

            • Assignee:
              sergey_beryozkin Sergey Beryozkin
              Reporter:
              cdolphy Chris Dolphy
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: