Something like param="," can break our naive WWW-Authenticate parameter parsing logic in ClientOAuthProvider. While I don't expect many servers will be sending parameters like that in their responses, and it'd be very unusual for an attacker to have only partial control over a WWW-Authenticate response header value, it'd be best to properly account for things like commas inside of quoted strings or escaped quotes. \".
It's a bit like CSV with its quote handling trickiness.
See #1084 (comment) for more context.
https://gist.github.com/halter73/aca998c8855b4260b7ae2e705d85ec98 Includes a copilot conversation I had investigating if there was a built-in API we could leverage, and it appears not.
RFC 9110 contains the relevant specs for the WWW-Authenticate header and how to read a parameter.
https://www.rfc-editor.org/rfc/rfc9110#section-11.6.1
https://www.rfc-editor.org/rfc/rfc9110#parameter
Something like
param=","can break our naive WWW-Authenticate parameter parsing logic in ClientOAuthProvider. While I don't expect many servers will be sending parameters like that in their responses, and it'd be very unusual for an attacker to have only partial control over a WWW-Authenticate response header value, it'd be best to properly account for things like commas inside of quoted strings or escaped quotes.\".It's a bit like CSV with its quote handling trickiness.
See #1084 (comment) for more context.
https://gist.github.com/halter73/aca998c8855b4260b7ae2e705d85ec98 Includes a copilot conversation I had investigating if there was a built-in API we could leverage, and it appears not.
RFC 9110 contains the relevant specs for the WWW-Authenticate header and how to read a parameter.
https://www.rfc-editor.org/rfc/rfc9110#section-11.6.1
https://www.rfc-editor.org/rfc/rfc9110#parameter