We're updating the issue view to help you get more done. 

Empty password ignored in Basic Auth (CB 4.3)

Description

OK, it is really a minor bug. Nevertheless I thought i report it since our QA team found it and opened a ticket in our company bugtracker...

Environment Lucce 5.2

if you have empty password in Basic Auth the getHTTPBasicCredentials() will return the value of the username as password.

Example: Basic Auth
username = myusername
password = (empty)

will return struct {username:'myusername',password:'myusername'}

it might be due to strange behaviour of lucees listlast function which returns the first element BEFORE the divider it the last element is empty

RequestContect.cfc. 1162 results.password = listLast( authHeader, ":")

authHeader ='myusername:"
results.password = listLast(authHeader, ":")
returns "myusername" for results.password

Status

Assignee

Luis Majano

Reporter

Daniel Schmid

Labels

None

Components

Fix versions

Priority

Major