There seems to be a bug with Basic Auth in Paw. The password field is added a \n character to the end of the password I enter and breaks my authentication on the server side. You can even see the extra line after the password in this screenshot. I've also confirmed in my server-side code that there is indeed a newline character (\n) appended to the string.
http://note.io/12BJA6m
It sounds like you added a newline character after the password. Edit the password field, select all, and type the password again.
(Though, I agree the field shouldn't accept newlines, I'll file a bug for that.)
Related
I know that URI supports the following syntax:
http://[user]:[password]#[domain.tld]
When there is no password or if the password is empty, is there a colon?
In other words, should I accept this:
http://[user]:#[domain.tld]
Or this:
http://[user]#[domain.tld]
Or are they both valid?
The current URI standard (STD 66) is RFC 3986, and the relevant section is 3.2.1. User Information.
There it’s defined that the userinfo subcomponent (which gets followed by #) can contain any combination of
the character :,
percent-encoded characters, and
characters from the sets unreserved and sub-delims.
So this means that both of your examples are valid.
However, note that the format user:password is deprecated. Anyway, they give recommendations how applications should handle such URIs, i.e., everything after the first : character should not be displayed by applications, unless
the data after the colon is the empty string (indicating no password).
So according to this recommendation, the userinfo subcomponent user: indicates that there is the username "user" and no password.
This is more like convenience and both are valid. I would go with http://[user]#[domain.tld] (and prompt for a password.) because it's simple and not ambiguous. It does not give any chance for user to think if he has to add anything after :
I'm using the Authorization header with the Basic type for authentication.
I'm following the HTTP Basic authentication specifications which states that the credentials should follow this form -> userIdentifier:password encoded in base64
We are using an email as the user identifier and according to the email format specification, the colon(':') character is permitted.
The colon(':') is also a valid character in the password.
Knowing this, I'm looking for a creative way to parse the credentials part of the header that uses a colon(':') as the separator between userID and password.
In this case it's simple -> francis#gmail.com:myPassword
This is where it gets complicated -> francis#gmail.com:80:myPasswordWith:Inside
francis#gmail.com:80 is a valid email according to the email format specification even though this is not used very often. So where do I know where to split ?
We have made the decision not to accept an email containing a ':'. But we want to notify the user that his email is not valid, how can we ensure that we are splitting the string at the right place ?
Hope I asked my question in a clear manner, don't hesitate to ask for more details
Thank you
Don’t notify the user that the email is invalid. Split according to the RFC 2617 rules (everything after the first colon is the password), then try to authenticate, fail, and return a generic “authentication failure” message.
A situation where john#example.org:80 has password secret and john#example.org has password 80:secret at the same time, seems unrealistic.
If you require your users to register, you probably do it with some other mechanism (forms?) where you can easily separate the username and tell that it is invalid.
I am facing a weird problem related to content type/encoding.
Here is my Java code snippet below. This code works perfectly fine on a Windows machine where the application server is running on windows and the SMTP server for sending emails is also Windows localhost. When I deploy the same code on a Unix server, the email sent for the exact same content contains question marks (???) for special characters like non-breaking white space.
I did a lot of googling, but I did not find any solution. How can I fix this problem? The content types I tried were ISO-8859-1, UTF-8 and Windows-1252. Nothing helps.
MimeMessage message = new MimeMessage(session);
.............
Multipart mp = new MimeMultipart();
MimeBodyPart messageBody = new MimeBodyPart();
messageBody.setContent(mailMessage, "text/html;charset=Windows-1252");
messageBody.setHeader("Content-Type", "text/html;charset=Windows-1252");
// Add body to the multimedia part
mp.addBodyPart(messageBody);
message.setContent(mp);
// Send message
Transport.send(message);
Are you using the same mail server in both cases? And the same client program to view the message?
For debugging, just before the Transport.send call, add:
message.writeTo(new FileOutputStream("msg.txt"));
and then examine the msg.txt file to see if the characters are correctly encoded.
How do you create the text in the mailMessage String? If you don't create the string with the correct Unicode characters, no charset is going to make it right.
Also, you don't ever need to set the Content-Type header explicitly, remove that line.
And, instead of setContent, use:
messageBody.setText(mailMessage, "html", "utf-8");
That makes sure the Content-Type header is set correctly and the parameters (e.g., charset) are quoted correctly.
Ultimately, I had to go with a crude way of doing it. I replaced such characters with space.
mailMessage.replaceAll("[^\\x20-\\x7e]", " ");
Now, all the special characters like non-breaking space or any other character falling out of normal range, will be replaced with space. The email in this case was anyway meant for normal text.
Before IIS 5.0 Response.Redirect was not encoding the string you privide. It was your own responsibility to URLEncode the string.
On IIS 4.0 we used
Response.Redirect Server.URLEncode("Page,One.asp")
With IIS 5.0 we started just using
Response.Redirect("Page,One.asp")
So the new Response.Redirect function URLEncodes your string and there is no other option.
There is just one problem. I can not pass a "+" sign in the strings.
When Response.Redirect("sum=1+3") is executed, you expect it to encode all the non alphanumeric characters but "+" sign turns into a space character on the receiving page.
When Response.Redirect(“sum=1%2B3”) is executed, "404 Not Found" is received because "sum%3D1%25B23" does not exist on the server as %2B is encoded twice.
I want "+" to be encoded as %2B so that the receiving page understands that it is in fact a part of some text and display it.
Let me give you an example:
When you type
http://translate.google.com/#en|tr|1%2B2
into your browser and pres enter you will see that google accepts %2B and decodes it as a + in the textarea.
Neither
Response.Redirect("http://translate.google.com/#en|tr|1%2B2")
or
Response.Redirect("http://translate.google.com/#en|tr|1+2")
does the same effect as in the example i gave. I just want to redirect to that page.
There is an other way like first encoding the string and then redirecting with Response.Redirect unescape("Page%2COne%2Easp") but escape and unescape functions support some part of UTF-8 and ASCII (0-127) but do not support high ANSI (128-255) characters, notably European accented characters.
Any suggestions?
So the new Response.Redirect function URLEncodes your string and there is no other option.
what do you mean there is no other option ?
server.urlencode still exists
I need to allow the user to submit queries as follows;
/search/"my search string"
but it's failing because of request validation, as outlined in the following 2 questions:
How to include quote characters as a route parameter? Getting "Illegal characters in path" message
How to modify request validation?
I'm currently trying to figure out how to disable request validation for the quote character, but i'd like to know the risks before I actually put the site live with this disabled? I will not disable the request validation unless I can only disable it for the quote character, so I do intend to disallow every other character that's currently not allowed.
According to the URI generic syntax specification (RFC 2396), the double-quote character is explicitly excluded and must be escaped (i.e. %22). See section 2.4.3. The reason given in the spec:
The angle-bracket "<" and ">" and double-quote (") characters are excluded because they are often used as the delimiters around URI in text documents and protocol fields.
You can see easily why this is the case -- imagine trying to create a link in HTML to your URL:
<a href="http://somesite/search/"my search string""/>
That would fail HTML parsing (and also breaks SO's syntax highlighting). You also would have trouble doing basic things with the URL like emailing it to someone (the email client wouldn't parse the URL correctly), posting it on a message board, sending it in an instant message, etc.
For what it's worth, spaces are also explicitly excluded (same section of the RFC explains why).