The former implementation did not respect this, and did not take in account the : character in the password field.
The new implementation assumes that the usernames ends when the colon is found (so it can't contain one), and uses the other part
of the token as the password.
In order to respect RFC 2617, the server must accept any password matching the following requirements:
The former implementation did not respect this, and did not take in account the
:
character in the password field.The new implementation assumes that the usernames ends when the colon is found (so it can't contain one), and uses the other part of the token as the password.