
HTTP basic auth (basic_auth) credentials should not have newlines in the base64 encoding
Reported by Michael Klett | September 23rd, 2009 @ 11:04 AM
According to RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt), the 76 character line limit normally enforced by Base64 encoding should not apply to the encoding of HTTP basic authentication credentials.
A long username and password pair (somewhere around 76 chars total) will be encoded incorrectly by Webrat for HTTP basic authentication, since the Array#pack method used for Base64 encoding in basic_auth automatically inserts newlines.
A patch, with specs, is attached. I have also verified that this works with Rails' built in support for HTTP basic authentication. I originally found this due to spurious errors in my tests, where the username and password pair were being auto-generated, and would sometimes be long enough to trigger this behavior.
Note that other projects have seen and solved the same thing, i.e. https://jira.jboss.org/jira/browse/JBREM-806
Comments and changes to this ticket
-
Michael Klett September 23rd, 2009 @ 12:14 PM
FYI, I glanced in Net::HTTP code at their
basic_encode
method, which gives a slightly different way of accomplishing this:def basic_encode(account, password) 'Basic ' + ["#{account}:#{password}"].pack('m').delete("\r\n") end
Does the carriage return part (\r) make this more robust across platforms?
-
Bryan Helmkamp November 15th, 2009 @ 04:52 PM
- State changed from new to resolved
Thanks, Michael. Applied to master.
Cheers,
-Bryan
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
Ruby Acceptance Testing for Web applications.