GNU bug report logs - #36619
26.2; url-auth: Base64 encoded Basic auth password truncated

Previous Next

Package: emacs;

Reported by: Joshua Bachmeier <joshua <at> bachmeier.cc>

Date: Fri, 12 Jul 2019 18:39:02 UTC

Severity: normal

Tags: fixed

Found in version 26.2

Fixed in version 27.1

Done: Lars Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 36619 in the body.
You can then email your comments to 36619 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#36619; Package emacs. (Fri, 12 Jul 2019 18:39:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Joshua Bachmeier <joshua <at> bachmeier.cc>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Fri, 12 Jul 2019 18:39:04 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Joshua Bachmeier <joshua <at> bachmeier.cc>
To: bug-gnu-emacs <at> gnu.org
Subject: 26.2; url-auth: Base64 encoded Basic auth password truncated
Date: Fri, 12 Jul 2019 20:07:36 +0200

My password (retrived by the url package with `auth-source') is rather
long. When encoding it in base64 (using `base64-encode-string') in
`url/url-auth.el:123' it is split into multiple lines (this behaviour is
specified in the documentation of `base64-encode-string'. However, since
the base64-string is then simply put into the HTTP header, everything
after the first newline is lost, the password is effectively truncated.

`base64-encode-string' provides an optional argument to supress line
splitting. I guess this should be used here (and propably in many other places).


In GNU Emacs 26.2 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.8)
 of 2019-04-12 built on juergen
Windowing system distributor 'The X.Org Foundation', version 11.0.12005000

Configured using:
 'configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib
 --localstatedir=/var --with-x-toolkit=gtk3 --with-xft --with-modules
 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong
 -fno-plt' CPPFLAGS=-D_FORTIFY_SOURCE=2
 LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now'

--
Joshua Bachmeier
Information forwarded to bug-gnu-emacs <at> gnu.org:
bug#36619; Package emacs. (Fri, 12 Jul 2019 23:29:01 GMT) Full text and rfc822 format available.

Message #8 received at 36619 <at> debbugs.gnu.org (full text, mbox):

From: Lars Ingebrigtsen <larsi <at> gnus.org>
To: Joshua Bachmeier <joshua <at> bachmeier.cc>
Cc: 36619 <at> debbugs.gnu.org
Subject: Re: bug#36619: 26.2;
 url-auth: Base64 encoded Basic auth password truncated
Date: Sat, 13 Jul 2019 01:28:38 +0200

Joshua Bachmeier <joshua <at> bachmeier.cc> writes:

> My password (retrived by the url package with `auth-source') is rather
> long. When encoding it in base64 (using `base64-encode-string') in
> `url/url-auth.el:123' it is split into multiple lines (this behaviour is
> specified in the documentation of `base64-encode-string'. However, since
> the base64-string is then simply put into the HTTP header, everything
> after the first newline is lost, the password is effectively truncated.

This should now be fixed on the Emacs trunk.

> `base64-encode-string' provides an optional argument to supress line
> splitting. I guess this should be used here (and propably in many
> other places).

I went through the Emacs codebase, and the only other place this seemed
to be an issue was in nnimap.el, and explains a mysterious bug report
about truncated auth.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) fixed. Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Fri, 12 Jul 2019 23:30:02 GMT) Full text and rfc822 format available.
bug marked as fixed in version 27.1, send any further explanations to 36619 <at> debbugs.gnu.org and Joshua Bachmeier <joshua <at> bachmeier.cc> Request was from Lars Ingebrigtsen <larsi <at> gnus.org> to control <at> debbugs.gnu.org. (Fri, 12 Jul 2019 23:30:03 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 10 Aug 2019 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 260 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.