[jira] (WAGON-260) very long passwords cause LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header

Thu, 05 Jul 2012 16:55:48 -0700 

    [ 
https://jira.codehaus.org/browse/WAGON-260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=302883#comment-302883
 ] 

Barrie Treloar commented on WAGON-260:
--------------------------------------

See
* 
http://bugs.sun.com/bugdatabase/view_bug.do;jsessionid=598a0bf17db1873eb2ea1293aa756?bug_id=6947917
Summary:
{noformat}
The Basic Authentication implementation, 
sun.net.www.protocol.http.BasicAuthentication, uses a sun.misc.BASE64Encoder to 
encode the Authentication headers field value. The sun.misc.BASE64Encoder class 
encodes 57 bytes per line. This results in a maximum of 57/3 * 4, or 76, 
characters per output line (not counting the line termination) before writing a 
LineSuffix, i.e. a newline character.

With long long usernames and/or passwords it is possible to generate a header 
value with more than 76 characters, therefore causing a newline character to be 
returned as part of the header value. This violates the HTTP spec for Message 
Headers, which states that "Header fields can be extended over multiple lines 
by preceding each extra line with at least one SP or HT.".

CUSTOMER SUBMITTED WORKAROUND :
Only known workaround is to use a 3rd party library for URL connections such as 
HttpClient.
Posted Date : 2010-04-28 06:32:21.0
{noformat}

For us, the real work around is to use shorter passwords.
i.e. stick passwords no greater than 76 characters.
                
> very long passwords cause LightweightHTTP wagon to line-wrap the 
> Base64-encoded Authorization header
> ----------------------------------------------------------------------------------------------------
>
>                 Key: WAGON-260
>                 URL: https://jira.codehaus.org/browse/WAGON-260
>             Project: Maven Wagon
>          Issue Type: Bug
>          Components: wagon-http-lightweight
>    Affects Versions: 1.0-beta-5
>            Reporter: John Casey
>             Fix For: 1.1
>
>
> this is because of Sun's Base64 and HTTPURLConnection implementations, which 
> the lightweight http wagon depends upon.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to