Commit fc4bd450 authored by Ricki Hirner's avatar Ricki Hirner

Always use UTF-8 encoding for credentials (before: ISO-8859-1 for Basic auth)

parent 9436738e
Pipeline #4592433 passed with stage
in 5 minutes and 19 seconds
![build status](https://gitlab.com/bitfireAT/dav4android/badges/master/build.svg)
[![build status](https://gitlab.com/bitfireAT/dav4android/badges/master/build.svg)](https://gitlab.com/bitfireAT/dav4android/commits/master)
# dav4android
......
......@@ -18,7 +18,6 @@ import java.util.concurrent.atomic.AtomicInteger;
import lombok.NonNull;
import okhttp3.Authenticator;
import okhttp3.Credentials;
import okhttp3.Interceptor;
import okhttp3.Request;
import okhttp3.RequestBody;
......@@ -106,8 +105,16 @@ public class BasicDigestAuthHandler implements Authenticator, Interceptor {
} else if (basicAuth != null) {
Constants.log.fine("Adding Basic authorization header for " + request.url());
/* In RFC 2617 (obsolete), there was no encoding for credentials defined, although
one can interpret it as "use ISO-8859-1 encoding". This has been clarified by RFC 7617,
which creates a new charset parameter for WWW-Authenticate, which always must be UTF-8.
So, UTF-8 encoding for credentials is compatible with all RFC 7617 servers and many,
but not all pre-RFC 7617 servers. */
final String credentials = username + ":" + password;
return request.newBuilder()
.header(HEADER_AUTHORIZATION, Credentials.basic(username, password))
.header(HEADER_AUTHORIZATION, "Basic " + ByteString.of(credentials.getBytes()).base64())
.build();
} else if (response != null)
Constants.log.warning("No supported authentication scheme");
......
......@@ -11,9 +11,12 @@ package at.bitfire.dav4android;
import org.junit.Test;
import okhttp3.MediaType;
import okhttp3.Protocol;
import okhttp3.Request;
import okhttp3.RequestBody;
import okhttp3.Response;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
......@@ -22,11 +25,35 @@ import static org.junit.Assert.assertTrue;
public class BasicDigestAuthHandlerTest {
@Test
public void testRFCExample() {
public void testBasic() {
BasicDigestAuthHandler authenticator = new BasicDigestAuthHandler(null, "user", "password");
Request original = new Request.Builder()
.url("http://example.com")
.build();
Response response = new Response.Builder()
.request(original)
.protocol(Protocol.HTTP_1_1)
.code(401)
.header("WWW-Authenticate", "Basic realm=\"WallyWorld\"")
.build();
Request request = authenticator.authenticateRequest(original, response);
assertEquals("Basic dXNlcjpwYXNzd29yZA==", request.header("Authorization"));
// special characters: always use UTF-8 (and don't crash on RFC 7617 charset header)
authenticator = new BasicDigestAuthHandler(null, "username", "paßword");
response = response.newBuilder()
.header("WWW-Authenticate", "Basic realm=\"WallyWorld\",charset=UTF-8")
.build();
request = authenticator.authenticateRequest(original, response);
assertEquals("Basic dXNlcm5hbWU6cGHDn3dvcmQ=", request.header("Authorization"));
}
@Test
public void testDigestRFCExample() {
// use cnonce from example
BasicDigestAuthHandler authenticator = new BasicDigestAuthHandler(null, "Mufasa", "Circle Of Life");
authenticator.clientNonce = "0a4f113b";
authenticator.nonceCount.set(1);
BasicDigestAuthHandler.clientNonce = "0a4f113b";
BasicDigestAuthHandler.nonceCount.set(1);
// construct WWW-Authenticate
HttpUtils.AuthScheme authScheme = new HttpUtils.AuthScheme("Digest");
......@@ -53,10 +80,10 @@ public class BasicDigestAuthHandlerTest {
}
@Test
public void testRealWorldExamples() {
public void testDigestRealWorldExamples() {
BasicDigestAuthHandler authenticator = new BasicDigestAuthHandler(null, "demo", "demo");
authenticator.clientNonce = "MDI0ZDgxYTNmZDk4MTA1ODM0NDNjNmJjNDllYjQ1ZTI=";
authenticator.nonceCount.set(1);
BasicDigestAuthHandler.clientNonce = "MDI0ZDgxYTNmZDk4MTA1ODM0NDNjNmJjNDllYjQ1ZTI=";
BasicDigestAuthHandler.nonceCount.set(1);
// example 1
HttpUtils.AuthScheme authScheme = new HttpUtils.AuthScheme("Digest");
......@@ -107,10 +134,10 @@ public class BasicDigestAuthHandlerTest {
}
@Test
public void testMD5Sess() {
public void testDigestMD5Sess() {
BasicDigestAuthHandler authenticator = new BasicDigestAuthHandler(null, "admin", "12345");
authenticator.clientNonce = "hxk1lu63b6c7vhk";
authenticator.nonceCount.set(1);
BasicDigestAuthHandler.clientNonce = "hxk1lu63b6c7vhk";
BasicDigestAuthHandler.nonceCount.set(1);
HttpUtils.AuthScheme authScheme = new HttpUtils.AuthScheme("Digest");
authScheme.params.put("realm", "MD5-sess Example");
......@@ -145,10 +172,10 @@ public class BasicDigestAuthHandlerTest {
}
@Test
public void testMD5AuthInt() {
public void testDigestMD5AuthInt() {
BasicDigestAuthHandler authenticator = new BasicDigestAuthHandler(null, "admin", "12435");
authenticator.clientNonce = "hxk1lu63b6c7vhk";
authenticator.nonceCount.set(1);
BasicDigestAuthHandler.clientNonce = "hxk1lu63b6c7vhk";
BasicDigestAuthHandler.nonceCount.set(1);
HttpUtils.AuthScheme authScheme = new HttpUtils.AuthScheme("Digest");
authScheme.params.put("realm", "AuthInt Example");
......@@ -183,7 +210,7 @@ public class BasicDigestAuthHandlerTest {
}
@Test
public void testLegacyDigest() {
public void testDigestLegacy() {
BasicDigestAuthHandler authenticator = new BasicDigestAuthHandler(null, "Mufasa", "CircleOfLife");
// construct WWW-Authenticate
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment