[cosmo-dev] Bug 11175: : in username causes chaos

[Travis Vachon]

Hi folks

Bug 11175 points out a problem with allowing : (colon) in usernames.  
This problem exists because : is not allowed in HTTP Basic Auth  
usernames since : is the separator between the username and password.

The official BNF definition of the HTTP Basic Auth userid is:

      userid      = *<TEXT excluding ":">

where TEXT is defined in rfc2616 as follows:

    The TEXT rule is only used for descriptive field contents and values
    that are not intended to be interpreted by the message parser. Words
    of *TEXT MAY contain characters from character sets other than ISO-
    8859-1 [22] only when encoded according to the rules of RFC 2047
    [14].

        TEXT           = <any OCTET except CTLs,
                         but including LWS>




The only mention I could find of quoting was:

    The backslash character ("\") MAY be used as a single-character
    quoting mechanism only within quoted-string and comment constructs.


which doesn't apply to TEXT.

I emailed the www-talk at w3.org mailing list asking about a way to  
escape : but haven't heard anything back.

Given this I'd like to propose that we officially disallow : in  
Chandler Server usernames. Any thoughts?

-Travis