Code Review 6947917: Error in basic authentication when user name and password are long
Michael McMahon
Michael.McMahon at Sun.COM
Fri May 7 02:52:26 PDT 2010
Looks fine.
- Michael.
Chris Hegarty wrote:
> Michael,
>
> A minor change to the encoder used for Basic Authentication.
>
> Webrev:
> http://cr.openjdk.java.net/~chegar/6947917/webrev.00/webrev/
>
> The Basic Authentication implementation,
> sun.net.www.protocol.http.BasicAuthentication, uses a
> sun.misc.BASE64Encoder to encode the Authentication headers field
> value. The sun.misc.BASE64Encoder class encodes 57 bytes per line.
> This results in a maximum of 57/3 * 4, or 76, characters per output
> line (not counting the line termination) before writing a LineSuffix,
> i.e. a newline character.
>
> With long long usernames and/or passwords it is possible to generate a
> header value with more than 76 characters, therefore causing a newline
> character to be returned as part of the header value. This violates
> the HTTP spec for Message Headers, which states that "Header fields
> can be extended over multiple lines by preceding each extra line with
> at least one SP or HT.".
>
> We should increase the number of bytes per line for the encoder used
> for Basic Authentication, similar to what is done in
> NegotiateAuthentication.
>
> -Chris.
More information about the net-dev
mailing list