The HTTP Auth adapter is, in fact, just using the password as-is from
the text file, without running it through base64_decode(). This is a bug
in the code; the intention was for the password to be stored in base64
in the file, but this was overlooked in development. Would you mind
filing a bug report for this issue?
Of course, all the usual security caveats apply to the password file,
regardless of whether the passwords are base64 encoded or not.
Regards,
Bryce Lohr
Simon Corless wrote:
> I'm not sure if I'm miss understanding or whether this is a problem, I've
> searched the list and the net and can't find much mentioned about this.
>
> I thought I'd experiment with Zend_Auth_Adapter_Http tonight with basic
> authentication (on Windows test server). It all works except for the actual
> password.
>
> I get the impression from reading the manual the password should be base64
> encoded, however it doesn't seem to use any encoding and just accepts the
> plain text (i.e. a base64 encoded credential authorises if you pass it the
> base64 encoded string).
>
> "In Basic authentication, the credentials field should be the Base64
> encoding of the user's password."
>
> My auth file (password is testing base64 encoded):
>
> admin:test:dGVzdGluZw==
>
> However in the dialog entering "dGVzdGluZw==" as the password authorizes,
> entering "testing" does not.
>
> Thanks for any help or pointers.
>
> Simon
>
> -----
> Simon
>
> http://www.ajb007.co.uk/
>
没有评论:
发表评论