[tor-bugs] #17634 [Tor Launcher]: By more strict if applying double quotes around passwords
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Nov 18 12:19:55 UTC 2015
#17634: By more strict if applying double quotes around passwords
--------------------------+-----------------------
Reporter: gk | Owner: brade
Type: defect | Status: new
Priority: Low | Milestone:
Component: Tor Launcher | Version:
Severity: Minor | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
--------------------------+-----------------------
Description changed by gk:
Old description:
> When authenticating we handle the control password as follows:
> {{{
> // Surround non-hex strings with double quotes.
> const kIsHexRE = /^[A-Fa-f0-9]*$/;
> if (!kIsHexRE.test(pwdArg))
> pwdArg = '"' + pwdArg + '"';
> }}}
> But the spec says `"AUTHENTICATE" [ SP 1*HEXDIG / QuotedString ] CRLF`
> and `HEXDIGIT` being `DIGIT / "A" / "B" / "C" / "D" / "E" / "F"`
> according to RFC 2234. Thus, we are a bit more lenient than we should be
> at the moment.
New description:
When authenticating we handle the control password as follows:
{{{
// Surround non-hex strings with double quotes.
const kIsHexRE = /^[A-Fa-f0-9]*$/;
if (!kIsHexRE.test(pwdArg))
pwdArg = '"' + pwdArg + '"';
}}}
But the spec says `"AUTHENTICATE" [ SP 1*HEXDIG / QuotedString ] CRLF`
and `HEXDIG` being `DIGIT / "A" / "B" / "C" / "D" / "E" / "F"` according
to RFC 2234. Thus, we are a bit more lenient than we should be at the
moment.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17634#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list