[jira] [Commented] (COUCHDB-2974) Validate userid per RFC7613 in order to support utf-8 in username

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/COUCHDB-2974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15206255#comment-15206255
 ] 

ASF GitHub Bot commented on COUCHDB-2974:
-----------------------------------------

Github user iilyak commented on the pull request:

    https://github.com/apache/couchdb-chttpd/pull/109#issuecomment-199785630
  
    @kxepal: I did create a jira ticket 
[COUCHDB-2974](https://issues.apache.org/jira/browse/COUCHDB-2974) to track 
utf-8 support.


> Validate userid per RFC7613 in order to support utf-8 in username
> -----------------------------------------------------------------
>
>                 Key: COUCHDB-2974
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2974
>             Project: CouchDB
>          Issue Type: New Feature
>            Reporter: ILYA
>
> Currently utf-8 in userid is not supported. Since it doesn't seem possible to 
> transmit utf-8 in a http header. We use basic auth which is based on headers. 
> There is a new [RFC7617|https://datatracker.ietf.org/doc/rfc7617/] is going 
> to support utf-8. In order to avoid security issues with utf-8 we should 
> either forbid utf-8 in userid or validate it to prohibit certain inputs. 
> There is a proposed [RFC7613|https://datatracker.ietf.org/doc/rfc7613/] which 
> defines what can be in a userid and what shouldn't be there. 
> We need to be aware though that some clients decided to support utf-8 in a 
> non standard way.
> * 
> [httpie|https://github.com/jkbrzt/httpie/blob/25d1e8e418425a208eca285cbe435a5914da542c/httpie/plugins/builtin.py#L29]
>  - enforce utf-8 encoding
> * [curl|https://github.com/jkbrzt/httpie/issues/212#issuecomment-41280312] - 
> relies on the implementation detail of base64 cli tool on *nix's
> * Opera uses UTF-8;
> * IE uses the system's default codepage (which you have no way of knowing, 
> other than it's never UTF-8), and silently mangles characters that don't fit 
> into to it using the Windows ‘guess a random character that looks a bit like 
> the one you wanted or maybe just not’ secret recipe;
>  * Mozilla uses only the lower byte of character codepoints, which has the 
> effect of encoding to ISO-8859-1 and mangling the non-8859-1 characters 
> irretrievably... except when doing XMLHttpRequests, in which case it uses 
> UTF-8;
>  * Safari and Chrome encode to ISO-8859-1, and fail to send the authorization 
> header at all when a non-8859-1 character is used.
> The info about browsers is from http://stackoverflow.com/a/703341



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)