search

Kitura / Kitura-CredentialsHTTP

A plugin for the Kitura-Credentials framework that authenticates using HTTP Basic and Digest authentication
Apache License 2.0
16 stars 14 forks source link

Incorrect handling of password containing colon in HTTP Basic Authentication. #54

Closed drewmccormack closed 5 years ago

drewmccormack commented 5 years ago

In HTTP Basic Auth, although a username may not contain a colon, a password may. At this point, Kitura authentication fails when supplying a password containing a colon.

The lines in question seem to be here: https://github.com/IBM-Swift/Kitura-CredentialsHTTP/blob/660c43cf11da63561e45dd14d805c34041bd73fa/Sources/CredentialsHTTP/CredentialsHTTPBasic.swift#L110-L117

The password is set to be the second item in the components (after separating by colons), but actually, the password should be all items after the first, joined by colons. So...

user:pass:with:some:colons

User is item 0. Pass is 1...4 joined by : characters, namely pass:with:some:colons.

ianpartridge commented 5 years ago

Fixed in https://github.com/IBM-Swift/Kitura-CredentialsHTTP/releases/tag/2.1.1 - thanks @drewmccormack !