Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CherryPy will allways decode basic authentication information with ISO-8859-1

See original GitHub issue

I have submitted the observed behavior on stackoverflow.

import cherrypy

class SimpleWebpage(object):
    @cherrypy.expose
    def index(self):
        return "<html><head></head><body>Authenticated</body></html>"

def hexcode(s):
    return ' '.join(hex(ord(x))[2:] for x in s)

def test_hexcode(realm, username, password):
    username_hexcode = hexcode(username)
    password_hexcode = hexcode(password)
    print(f"realm: {realm!r}, username: {username!r}-{username_hexcode!r}, "
          f"password: {password!r}-{password_hexcode!r}")
    return False

cherrypy.tree.mount(SimpleWebpage(), '/',
                    {'/': {'tools.auth_basic.checkpassword': test_hexcode,
                           'tools.auth_basic.on': True,
                           'tools.auth_basic.realm': 'MY_REALM',}})

cherrypy.config.update({'tools.sessions.on': True,})
cherrypy.server.socket_host = '0.0.0.0'
cherrypy.engine.autoreload.unsubscribe()
cherrypy.engine.start()
cherrypy.engine.block()

Issuing curl -u 'curl:€öäü' -i -X GET http://10.25.5.17:8080/ will print realm: 'MY_REALM', username: 'curl'-'63 75 72 6c', password: 'â\x82¬Ã¶Ã¤Ã¼'-'e2 82 ac c3 b6 c3 a4 c3 bc' on the python console.

RFC-7617 explains how encoding should be handled concerning basic authentication.

Currently CherryPy doesn’t offer a way to indicate what encoding scheme it wants and how it decodes it. Right now browsers will use different charsets:

On Redhat 6

curl 7.19.7 (x86_64-redhat-linux-gnu) sends UTF-8

On Windows 10 Version 1709

Firefox 57.0.2 (32-Bit) sends (probably) ISO-8859-1
curl 7.56.1 (i686-pc-cygwin) sends UTF-8
Google-Chrome 63.0.3239.108 (64-Bit) sends UTF-8
Internet Explorer 11.786.15063.0 sends (probably) ISO-8859-1
Edge 40.15063.674.0 sends (probably) ISO-8859-1

A possible solution would be if CherryPy would send WWW-Authenticate: Basic realm="foo", charset="UTF-8" and decode the authentication string as utf-8 instead of ISO-8851-1. But I’m sure that some other things might need to be considered. And I haven’t tested if Firefox will switch to UTF-8 with this header.

Issue Analytics

State:
Created 6 years ago
Comments:17 (10 by maintainers)

Top GitHub Comments

1reaction

PJaroscommented, May 1, 2018

I was able to test 14.2.0 7 days ago and everything works. Thanks for release this version. 👍

1reaction

webknjazcommented, Dec 29, 2017

@PJaros thanks for the detailed analysis. This needs some investigation, but I’d guess that the solution might need to be submitted to cheroot (just a note for now).

Top Results From Across the Web

CherryPy allways decodes Basic Auth with ISO-8859-1

It's know limitation documented in issue #1680. Until the issue is resolved, CherryPy will not recognize UTF-8 encoded Basic-Auth Data.

CherryPy Documentation - Read the Docs

This tutorial will walk you through basic but complete CherryPy ... Decoding request. * Encoding response. – Authentication. * Basic.

cherrypy.lib package

This module provides a CherryPy 3.x tool which implements the server-side of HTTP Basic Access Authentication, as described in RFC 2617.

cherrypy.lib.auth_basic module

HTTP Basic Authentication tool. This module provides a CherryPy 3.x tool which implements the server-side of HTTP Basic Access Authentication, as described ...

in trunk/tools/build/third_party/cherrypy: . lib process scaffold ...

+ # in the given encoding, which for ISO-8859-1 is almost always what ... +the server-side of HTTP Basic Access Authentication, as described...