Arg, mis-clicked. On Wed, Feb 3, 2016 at 2:17 PM, Eric Covener <[email protected]> wrote: > I am looking at an old block of code in mod_authnz_ldap that seems to > have been there since it was imported. We do some escaping of the > HTTP basic auth username before copying it into a filter. > > for (p = user, q=filtbuf + len; > *p && q < filtbuf_end; *q++ = *p++) { > if (strchr("*()\\", *p) != NULL) { > *q++ = '\\'; > if (q >= filtbuf_end) { > break; > } > } > } > > > But neither http://tools.ietf.org/html/rfc4514 nor http://tools.ietf.org/html/rfc2253
Actually allow *() to be escaped in this way. Those specs both require \xx escaping (they allow different sets of characters to be escaped with \, including \ in both versions) Anyone around that remembers how this set of characters and the \ escaping were chosen?
