ILYA created COUCHDB-2974:
-----------------------------
Summary: Validate userid per RFC7613 in order to support utf-8 in
username
Key: COUCHDB-2974
URL: https://issues.apache.org/jira/browse/COUCHDB-2974
Project: CouchDB
Issue Type: New Feature
Reporter: ILYA
Currently utf-8 in userid is not supported. Since it doesn't seem possible to
transmit utf-8 in a http header. We use basic auth which is based on headers.
There is a new [RFC7617|https://datatracker.ietf.org/doc/rfc7617/] is going to
support utf-8. In order to avoid security issues with utf-8 we should either
forbid utf-8 in userid or validate it to prohibit certain inputs. There is a
proposed [RFC7613|https://datatracker.ietf.org/doc/rfc7613/] which defines what
can be in a userid and what shouldn't be there.
We need to be aware though that some clients decided to support utf-8 in a non
standard way.
*
[httpie|https://github.com/jkbrzt/httpie/blob/25d1e8e418425a208eca285cbe435a5914da542c/httpie/plugins/builtin.py#L29]
- enforce utf-8 encoding
* [curl|https://github.com/jkbrzt/httpie/issues/212#issuecomment-41280312] -
relies on the implementation detail of base64 cli tool on *nix's
* Opera uses UTF-8;
* IE uses the system's default codepage (which you have no way of knowing,
other than it's never UTF-8), and silently mangles characters that don't fit
into to it using the Windows ‘guess a random character that looks a bit like
the one you wanted or maybe just not’ secret recipe;
* Mozilla uses only the lower byte of character codepoints, which has the
effect of encoding to ISO-8859-1 and mangling the non-8859-1 characters
irretrievably... except when doing XMLHttpRequests, in which case it uses UTF-8;
* Safari and Chrome encode to ISO-8859-1, and fail to send the authorization
header at all when a non-8859-1 character is used.
The info about browsers is from http://stackoverflow.com/a/703341
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
