ID:               16337
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
-Status:           Open
+Status:           Feedback
 Bug Type:         HTTP related
 Operating System: Unix based
 PHP Version:      4.1.0
 New Comment:

RFC 2068 is obsoleted by RFC 2616, so your assumption that RFC 2068 is
still adhered to is incorrect.

The username:password string is base-64 encoded for Basic
Authentication, which I'm going to assume you're using, since you
didn't mention what type of authentication the server demands for
access to http://www.example.org/. It is not URL encoded.

Now, as for your bug report, why in the world would the include
function *decode* the username:password string? The content coming back
from the server doesn't specify the username and password to be used;
that's what *you* sent.

See RFC 2617 for more information about both Basic and Digest
Authentication over HTTP. http://ietf.org/rfc/rfc2617.txt will point
you there.

I think a better understanding of this might help you solve your
problem on your own. However, if this does not help, it should at least
allow you to better explain what the problem is, because your reports
have too many holes for me to understand what problem you are having,
whether a bug in PHP or not.


Previous Comments:
------------------------------------------------------------------------

[2002-04-10 20:01:07] [EMAIL PROTECTED]

in case anyone wondered, the HTTP spec I am refering to, is at:
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2068.html
(Section 11.1)
Since RFC 2616 doesn't specify user-pass strings, I assume this older
RFC still applies.

------------------------------------------------------------------------

[2002-04-10 19:57:48] [EMAIL PROTECTED]

Correction: 
 PHP's fopen url wrapper doesn't appear to unencode ANY encodings at
all.  Since the HTTP spec only excludes ':' from the username (and
nothing at all from the password), this bug makes many
username:password pairs unusable.

------------------------------------------------------------------------

[2002-03-28 18:12:28] [EMAIL PROTECTED]

When include() is called with the following syntax:

include("http://username:[EMAIL PROTECTED]/";);

It is the duty of the include call to tokenize the username and
password, and to urldecode each of them.  Why?  Because things would
break if a username contained 'www.example.com/?var='  or say a
password contained an @.  So, it is the duty of the caller to urlencode
these tokens, and the duty of include (or a sub function) to unencode
it after parsing.  

However, it has been observed in PHP 4.1.x that '%' characters (or
their equivalent '%25') are not decoded properly.  Prior use of this
feature leads us to believe the 4.0.x series of PHP does not have this
problem.  

We run websites with hundreds of users.  We would appreciate a quick
response, because we would rather not force all users with '%'s in
their passwords to change them.  Thank you.

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=16337&edit=1

Reply via email to