Skip to content

Spec doesn't mention password quotes

Section 5.1 of the control-spec [1] provides a nice description of authentication, but doesn't mention how to handle quotes in the password. Unsurprisingly controllers are expected to provide escaped quotes...

atagar@morrigan:~$ tor --hash-password "this has a \" in it"
  16:E6DC1BCEDF55EDCA607ADDB8781795772E42AAC75F7B7630B6227232E4

atagar@morrigan:~$ telnet localhost 9051
  Connected to localhost.
  AUTHENTICATE "this has a \" in it"
  250 OK

I'm gonna guess that only quotes should be escaped by controllers.

I've been finding it a little frustrating to figure out when and what escaping is expected so I'm generally working from the assumption that I should ignore escaping unless specifically called out by the spec (like it is for authentication cookie paths, though that wasn't enough to work from alone [2]).

Cheers! -Damian

[1] https://gitweb.torproject.org/torspec.git/blob/HEAD:/control-spec.txt#l1924 [2] https://gitweb.torproject.org/stem.git/blob/HEAD:/stem/socket.py#l54

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information