Open avtobiff opened 8 months ago
The user-id part of the basic authentication header value should not contain control characters. This should be validated and handled accordingly.
RFC 7617 The 'Basic' HTTP Authentication Scheme Section 2. The 'Basic' Authentication Scheme states [0]
The user-id and password MUST NOT contain any control characters (see "CTL" in Appendix B.1 of [RFC5234]).
RFC 5234Augmented BNF for Syntax Specifications: ABNF Appendix B.1. Core Rules states
CTL = %x00-1F / %x7F ; controls
[0] https://datatracker.ietf.org/doc/html/rfc7617#section-2 [1] https://datatracker.ietf.org/doc/html/rfc5234#appendix-B.1
Thanks for opening this. I noticed this same problem when I was looking at #477 and will work on a fix.
The user-id part of the basic authentication header value should not contain control characters. This should be validated and handled accordingly.
RFC 7617 The 'Basic' HTTP Authentication Scheme Section 2. The 'Basic' Authentication Scheme states [0]
RFC 5234Augmented BNF for Syntax Specifications: ABNF Appendix B.1. Core Rules states
[0] https://datatracker.ietf.org/doc/html/rfc7617#section-2 [1] https://datatracker.ietf.org/doc/html/rfc5234#appendix-B.1