Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6962

Basic auth uses UTF-8 for the encoded password when it should use ISO-8859-1

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Major
          • Resolution: Fixed
          • Affects Version/s: 2.7.18, 3.1.6
          • Fix Version/s: 3.1.10, 3.0.13, 3.2.0
          • Component/s: None
          • Labels:
            None
          • Estimated Complexity:
            Unknown

            Description

            Basic auth uses UTF-8 for the encoded password when it should use ISO-8859-1. Also (or instead), implement RFC 7617 which allows a server to indicate it does support UTF-8.

            The RFC that covers Basic authentication says that the authentication header contains base 64 encoded TEXT [1]. The TEXT format needs to be read under the HTTP specification [2] which says:

            The TEXT rule is only used for descriptive field contents and values
            that are not intended to be interpreted by the message parser. Words
            of *TEXT MAY contain characters from character sets other than ISO-
            8859-1 [22] only when encoded according to the rules of RFC 2047
            [14].

            RFC 2047 describes an encoding method that embeds the encoded string in "=?" and "?=". But it appears no implementation of HTTP is doing this. Certainly no browser is doing this.

            [1] http://tools.ietf.org/html/rfc2617#section-2

              Attachments

                Activity

                  People

                  • Assignee:
                    sergey_beryozkin Sergey Beryozkin
                    Reporter:
                    cdolphy Chris Dolphy
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    4 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: