RE: Escaping <\> in HTTP Digest (RFC 2617)

fre 2007-03-23 klockan 23:34 +0100 skrev Scott Lawrence:
> On Fri, 2007-03-23 at 11:59 -0700, Eric Lawrence wrote:
> > IE7 uses WDigest.dll, which escapes the \ into \\.
> > IE6 and previous versions relied on Digest.dll, which did not escape the \.
> Why does it do that?  The spec doesn't say anything about escaping
> inputs to the hash...

Well.. it both does and doesn't.. the specs says

      A1       = unq(username-value) ":" unq(realm-value) ":" passwd

     notation unq(X) means the value of the quoted-string X without the
     surrounding quotes.

       username-value   = quoted-string

       quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
       qdtext         = <any TEXT except <">>
       quoted-pair    = "\" CHAR

There is two ambiguities in the above:

a) that \ isn't excluded in qdtext requiring it to be quoted (\\). Most
likely a bug in the specs as not escaping \ makes it impossible to
unquote the string in a meaningful manner with \ being the escape
character and valid in front of any other character (only needed infront
of " and \, but valid infront of any). There is an open rfc2616bis issue
for this problem.

b) the unq(X) definition, which only says to remove the surrounding
quotes not the \ escapes..  Most likely a bug in the specs however and
it should mean the unquoted value (both surrounding quotes and escapes

So imho in the sensible reading of the specs the hash should be
calculated on the unquoted username-value with both surrounding quotes
and \ escapes removed. And any username-value encoded in the protocol
should have \ escaped. Unfortunately it's not entirely clear on either


Received on Sunday, 25 March 2007 21:47:34 UTC