Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Auth Core 1.0.0
-
None
Description
The Sling authenticator supports transparent impersonation of another user using a so called "sudo" parameter. Using this parameter causes the authenticator to set a sudo cookie, which is inspected in future requests to decide on whether to further impersonate requests or not.
The problem is, that the character set of cookie values is limited by RFC 2109 defining that a cookie value must be token or quoted-string according
to RFC-2616:
token = 1*<any CHAR except CTLs or separators>
separators = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <"> |
| "/" | "[" | "]" | "?" | "=" | |
| "
{" | "}
" |
SP | HT |
quoted-string = ( <"> *(qdtext | quoted-pair ) <"> )
qdtext = <any TEXT except <">>
If the sudo user name contains an "@" sign (such as an email address), the value is not a token any longer and must be properly quoted.