#292 ✓resolved
Michael Klett

HTTP basic auth (basic_auth) credentials should not have newlines in the base64 encoding

Reported by Michael Klett | September 23rd, 2009 @ 11:04 AM

According to RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt), the 76 character line limit normally enforced by Base64 encoding should not apply to the encoding of HTTP basic authentication credentials.

A long username and password pair (somewhere around 76 chars total) will be encoded incorrectly by Webrat for HTTP basic authentication, since the Array#pack method used for Base64 encoding in basic_auth automatically inserts newlines.

A patch, with specs, is attached. I have also verified that this works with Rails' built in support for HTTP basic authentication. I originally found this due to spurious errors in my tests, where the username and password pair were being auto-generated, and would sometimes be long enough to trigger this behavior.

Note that other projects have seen and solved the same thing, i.e. https://jira.jboss.org/jira/browse/JBREM-806

Comments and changes to this ticket

  • Michael Klett

    Michael Klett September 23rd, 2009 @ 12:14 PM

    FYI, I glanced in Net::HTTP code at their basic_encode method, which gives a slightly different way of accomplishing this:

    
    def basic_encode(account, password)
      'Basic ' + ["#{account}:#{password}"].pack('m').delete("\r\n")
    end
    

    Does the carriage return part (\r) make this more robust across platforms?

  • Bryan Helmkamp

    Bryan Helmkamp November 15th, 2009 @ 04:52 PM

    • State changed from “new” to “resolved”

    Thanks, Michael. Applied to master.

    Cheers,

    -Bryan

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Ruby Acceptance Testing for Web applications.

Shared Ticket Bins

People watching this ticket

Attachments

Pages