On 16/04/2024 08:18, Mark Thomas wrote:
<snip/>
Tomcat's current implementation is based on RFC 2617 and allows the
following:
- white space around the base64
- allows embedded line breaks in the base64
- missing padding
- illegal characters in the base64 (ignored)
- illegal characters in the base64 padding (ignored)
- excessive padding
- whitespace around the decoded password
I don't see any of the above causing issues apart from the last one
which prevents the use of passwords with leading or trailing whitespace.
Just following up on this.
Prior to Tomcat 9.0.15, Tomcat always did this.
From 9.0.15 Tomcat did this by default but it could be disabled.
Intend to remove this feature from Tomcat 11 and disable it by default
in earlier versions.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
