[cosmo-dev] Bug 11175: : in username causes chaos
Brian Moseley
bcm at osafoundation.org
Mon Nov 26 13:39:54 PST 2007
On Nov 26, 2007 1:06 PM, Travis Vachon <travis at osafoundation.org> wrote:
> The official BNF definition of the HTTP Basic Auth userid is:
>
> userid = *<TEXT excluding ":">
>
> where TEXT is defined in rfc2616 as follows:
>
> The TEXT rule is only used for descriptive field contents and values
> that are not intended to be interpreted by the message parser. Words
> of *TEXT MAY contain characters from character sets other than ISO-
> 8859-1 [22] only when encoded according to the rules of RFC 2047
> [14].
>
> TEXT = <any OCTET except CTLs,
> but including LWS>
this implies that colon is legal if it's encoded. have you looked at
our supported browsers to see what they do when you present them with
usernames including colon? do they use quoted-printable or base64 to
encode it?
> Given this I'd like to propose that we officially disallow : in
> Chandler Server usernames. Any thoughts?
it would be extremely lame to have the acceptable syntax be "any utf-8
character except colon". imo it should either be "any utf-8" character
or something very restrictive and url-safe like [A-Za-z0-9\0_].
More information about the cosmo-dev
mailing list