bug#36619: 26.2; url-auth: Base64 encoded Basic auth password truncated

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

bug#36619: 26.2; url-auth: Base64 encoded Basic auth password truncated

Joshua Bachmeier
My password (retrived by the url package with `auth-source') is rather
long. When encoding it in base64 (using `base64-encode-string') in
`url/url-auth.el:123' it is split into multiple lines (this behaviour is
specified in the documentation of `base64-encode-string'. However, since
the base64-string is then simply put into the HTTP header, everything
after the first newline is lost, the password is effectively truncated.

`base64-encode-string' provides an optional argument to supress line
splitting. I guess this should be used here (and propably in many other places).


In GNU Emacs 26.2 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.8)
 of 2019-04-12 built on juergen
Windowing system distributor 'The X.Org Foundation', version 11.0.12005000

Configured using:
 'configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib
 --localstatedir=/var --with-x-toolkit=gtk3 --with-xft --with-modules
 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong
 -fno-plt' CPPFLAGS=-D_FORTIFY_SOURCE=2
 LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now'

--
Joshua Bachmeier



Reply | Threaded
Open this post in threaded view
|

bug#36619: 26.2; url-auth: Base64 encoded Basic auth password truncated

Lars Ingebrigtsen
Joshua Bachmeier <[hidden email]> writes:

> My password (retrived by the url package with `auth-source') is rather
> long. When encoding it in base64 (using `base64-encode-string') in
> `url/url-auth.el:123' it is split into multiple lines (this behaviour is
> specified in the documentation of `base64-encode-string'. However, since
> the base64-string is then simply put into the HTTP header, everything
> after the first newline is lost, the password is effectively truncated.

This should now be fixed on the Emacs trunk.

> `base64-encode-string' provides an optional argument to supress line
> splitting. I guess this should be used here (and propably in many
> other places).

I went through the Emacs codebase, and the only other place this seemed
to be an issue was in nnimap.el, and explains a mysterious bug report
about truncated auth.

--
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no