search

erlyaws / yaws

Yaws webserver
https://erlyaws.github.io
BSD 3-Clause "New" or "Revised" License
1.28k stars 267 forks source link

Check that Basic authentication user doesn't contain control characters #478

Open avtobiff opened 8 months ago

avtobiff commented 8 months ago

The user-id part of the basic authentication header value should not contain control characters. This should be validated and handled accordingly.

RFC 7617 The 'Basic' HTTP Authentication Scheme Section 2. The 'Basic' Authentication Scheme states [0]

   The user-id and password MUST NOT contain any control characters (see
   "CTL" in Appendix B.1 of [RFC5234]).

RFC 5234Augmented BNF for Syntax Specifications: ABNF Appendix B.1. Core Rules states

         CTL            =  %x00-1F / %x7F
                                ; controls

[0] https://datatracker.ietf.org/doc/html/rfc7617#section-2 [1] https://datatracker.ietf.org/doc/html/rfc5234#appendix-B.1

vinoski commented 7 months ago

Thanks for opening this. I noticed this same problem when I was looking at #477 and will work on a fix.