Hi again,
We ran into another problem where passwords containing : characters were being rejected by the basic auth parser. It seems that the user:password credentials string is being split without a limit, and the code later checks whether it's been split into two parts.
According to RFC 2617 (page 6) the password may contain colon characters, but the username may not, so splitting only on the first colon seems to be a correct solution.
Hope this helps!
michael-conway
commented
9 years ago
Hi again, We ran into another problem where passwords containing
:characters were being rejected by the basic auth parser. It seems that theuser:passwordcredentials string is being split without a limit, and the code later checks whether it's been split into two parts. According to RFC 2617 (page 6) the password may contain colon characters, but the username may not, so splitting only on the first colon seems to be a correct solution. Hope this helps!