- **status**: open-confirmed --> closed-fixed

---
** [bugs:#1230] Authorization header does not employ escaping**
**Status:** closed-fixed
**Created:** Mon May 27, 2013 12:57 PM UTC by Nach M. S.
**Last Updated:** Mon May 27, 2013 03:54 PM UTC
**Owner:** Daniel Stenberg
curl 7.30.0 (x86_64-pc-linux-gnu) libcurl/7.30.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.25 libssh2/1.4.2 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
According to RFC2617, the Authorization header is supposed to be a quoted-string. According to RFC2616 and its errata, a quoted-string is a string enclosed between two double quote characters, and all double quote characters and backslash charaters within it are preceeded by a backslash.
cURL does not escape, as can be seen when passing a username containing " and \ with Digest Authentication.
I see it sending the following to my server in a test:
Authorization: Digest username="Nach = " \ -", realm="Test", nonce="JlGjUQAAAAByWa0wBPwJElZJ7HJq1GSwRDkLcgxigS2q6IEPrdlLXGXCKtrvx4cN", uri="/digest/", cnonce="ICAgICAgICAgICAgICAgICAgICAgICAgICA2MTE5NTA=", nc=00000001, qop=auth, response="629c3aa78e84563dfeaafdd836fa708b", algorithm="MD5-sess"
Clearly that username field is wrong, and should be: username="Nach = \" \\ -"
User-agents which properly escape:
Firefox
Chrome
User-agents which do not properly escape:
cURL
Opera
I didn't test beyond these.
Edit:
It looks like SourceForge's bug editor is screwing with the slashes, so I'm copying this report elsewhere, so it can be viewed correctly: http://paste.nachsoftware.com/Nach/XvtgYe5a2911e72d11f69358651a3578a86df6pP
---
Sent from sourceforge.net because you indicated interest in <https://sourceforge.net/p/curl/bugs/1230/>
To unsubscribe from further messages, please visit <https://sourceforge.net/auth/subscriptions/>