Web interface password -- characters permitted

[Michael Sweet]

Matt Broughton wrote:
> Mac OS X 10.4.7 with CUPS 1.1.23
> 
> There was a recent thread on the Apple discussion boards about what 
> characters are acceptable in a password.  It would appear that any 
> "non-English" character used in password will not be accepted by the web 
> interface authentication.  
> 
> I tried setting an administrator's password using Greek letters "ååçç" 
> (unicode characters \303\247\303\247\303\245\303\245).  This works for 
> logging into the user's account in OS X and for 'su' or 'sudo' in the 
> Terminal.  Trying to access the administration section of the CUPS web 
> interface does not work however.  The error log showed "IsAuthenticated: 
> pam_authenticate () returned 7 (Authorization failure)!"
> 
> Is this a limitation of the CUPS?  It appears that printer queues can 
> have a name using these characters.  It is just the web authentication 
> that fails.

My guess would be this is either a PAM bug on Mac OS X or an issue
of the wrong encoding (character set) being used for the characters.

AFAIK, the HTTP spec doesn't discuss what character set is required,
however all URIs need to use UTF-8 so I'd guess that the username and
password should be passed as UTF-8, and the PAM module on OSX needs
to convert the password from UTF-8 as needed (I don't know if they
use UTF-8 or UTF-16 to do the actual password hash...)

There is also the issue of NFC vs NFD (and NFKC and NFKD)
representations - a single character can be represented as a base
character + zero or more composition characters.

Anyways, I would file a bug report with Apple about this...

-- 
______________________________________________________________________
Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Document Software          http://www.easysw.com