The base64 function in authenticate.c does not correcly pad the output data. This can easily be seen by having it encode N bytes of data, where N is -not- a multiple of 3. For instance: base64("123") == "MTIz" (correct value: "MTIz") base64("1234") == "MTIzNA" (correct value: "MTIzNA==") Because of this bug, HTTP Basic authentication may not work correctly, depending on the length of the username and password. The patch below fixes this problem. ----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<----8<---- --- rsync-2.6.6/authenticate.c-orig 2006-03-06 11:10:23.000000000 +0100 +++ rsync-2.6.6/authenticate.c 2006-03-06 11:10:54.000000000 +0100 @@ -49,6 +49,9 @@ } out[i] = b64[idx]; } + + while ((i % 4) > 0) + out[i++] = '='; } /* Generate a challenge buffer and return it base64-encoded. */
Created attachment 1775 [details] Patch for base64 in authenticate.c
Your change would also affect the password authentication that a daemon rsync performs, making daemons/clients incompatible with older clients/daemons. Also, your code failed to null-terminate the padded value. I've checked-in an improved version that lets the caller choose if they want padding or not. This ensures that only the Proxy-Authentication header is affected by this change. Thanks for your help.