W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

RE: Escaping <\> in HTTP Digest (RFC 2617)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Sun, 25 Mar 2007 23:47:05 +0200
To: Scott Lawrence <scott@skrb.org>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <1174859225.16825.16.camel@henriknordstrom.net>
fre 2007-03-23 klockan 23:34 +0100 skrev Scott Lawrence:
> On Fri, 2007-03-23 at 11:59 -0700, Eric Lawrence wrote:
> > IE7 uses WDigest.dll, which escapes the \ into \\.
> > IE6 and previous versions relied on Digest.dll, which did not escape the \.
> 
> Why does it do that?  The spec doesn't say anything about escaping
> inputs to the hash...

Well.. it both does and doesn't.. the specs says

      A1       = unq(username-value) ":" unq(realm-value) ":" passwd

     The
     notation unq(X) means the value of the quoted-string X without the
     surrounding quotes.

       username-value   = quoted-string

       quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
       qdtext         = <any TEXT except <">>
       quoted-pair    = "\" CHAR

There is two ambiguities in the above:

a) that \ isn't excluded in qdtext requiring it to be quoted (\\). Most
likely a bug in the specs as not escaping \ makes it impossible to
unquote the string in a meaningful manner with \ being the escape
character and valid in front of any other character (only needed infront
of " and \, but valid infront of any). There is an open rfc2616bis issue
for this problem.

b) the unq(X) definition, which only says to remove the surrounding
quotes not the \ escapes..  Most likely a bug in the specs however and
it should mean the unquoted value (both surrounding quotes and escapes
removed).


So imho in the sensible reading of the specs the hash should be
calculated on the unquoted username-value with both surrounding quotes
and \ escapes removed. And any username-value encoded in the protocol
should have \ escaped. Unfortunately it's not entirely clear on either
point..

Regards
Henrik

Received on Sunday, 25 March 2007 21:47:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT