Closed Bug 453342 Opened 16 years ago Closed 16 years ago

basic authorization header sent incorrectly if it contains non-US-ASCII characters

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 41489

People

(Reporter: ghiloni, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15

Apologies if this has been filed before, I cannot find something related.

When responding to an HTTP 401 via the Basic Authorization dialog, if the username or password contains UTF-8 (or other, non-ASCII) characters, the Base64 encoding algorithm encodes the header incorrectly. For example, the auth header

你好世界:password 

should be encoded as

5L2g5aW95LiW55WMOnBhc3N3b3Jk

but instead is encoded as

YH0WTDpwYXNzd29yZA==

I had a similar bug in my encoding algorithm -- it was caused by not UTF-8 encoding the string before base64 encoding it. Hope that helps resolve it.

This happens on 2.0.0.15 and 3.0.1

Reproducible: Always

Steps to Reproduce:
1. Find a site that has a user that uses non-ASCII characters (unfortunately, I cannot share mine as it is part of my corporate network and not internet-facing)
2. Attempt to log in using that user

Actual Results:  
EVen though the user is valid, you should receive another 401.

Expected Results:  
You should receive a 200.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.