W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: Escaping <\> in HTTP Digest (RFC 2617)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Tue, 20 Mar 2007 12:15:33 +0100
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: ietf-http-wg@w3.org
Message-Id: <1174389333.12435.46.camel@henriknordstrom.net>
lör 2007-03-17 klockan 21:43 +0000 skrev Alexey Melnikov:
> Hi,
> I would like to get some feedback on what HTTP Digest implementations do
> with '\' in username/realm/password. For example, if I have a username
> 'example.com\user1', do implementations hash 'example.com\\user1' (i.e.
> the \ is escaped with another \), or just 'example.com\user1' (single
> slash).

The implementation in Squid takes the RFC literal and just removes the
quotes, hashing the escaped string as-is.

2617 3.2.1 definition of algorithm

     The
     notation unq(X) means the value of the quoted-string X without the
     surrounding quotes.


2616 2.2 definition of quoted-string

       quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
       qdtext         = <any TEXT except <">>
       quoted-pair    = "\" CHAR


Which reminds me... the above definition isn't good..

Regards
Henrik

Received on Tuesday, 20 March 2007 11:15:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT