ntlm_auth squid_2_5_basic password problem

Christopher R. Hertel crh at ubiqx.mn.org
Mon Dec 22 18:21:35 GMT 2003

On Mon, Dec 22, 2003 at 05:40:05PM +0000, M A Young wrote:
> I have discovered that ntlm_auth from samba 3.0 doesn't correctly
> authenticate a password with the '+' character in when the squid-2.5-basic
> helper protocol is used. I observed this when trying to authenticate from
> squid-2.5-STABLE4, so I suspect this is a genuine error. I have traced the
> problem to the rfc1738_unescape subroutine, which for some reason replaces
> '+' with ' '. As far as I can tell from rfc1738, it is completely legal to
> have an unescaped '+' sign in a password.
> 	Michael Young

There was a time, back in the early days of HTTP, when spaces were
replaced with plus signs in URI strings.  This is still done in some cases
(apparently).  I think that you are correct that this is no longer
standard practice (a quick look through RFC 2396, which updates 1738, does 
not turn up anything about coverting spaces to plus signs).  See:


In 2396 the plus sign is listed as a reserved character, but is then added 
to the allowed characters in several of the BNF right-hand-sides.  The 
password is generally encoded within the userinfo, and the plus sign is 
permitted there:

userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )

...so it should not need to be escaped.

Sounds like the conversion between '+' and ' ' is a throw-back.

Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list