Webdav: Rclone appears to mis-encode http auth header if password longer than 25 characters

Help and Support
1

What is the problem you are having with rclone?

When authenticating to WebDav, if a password is longer than 25 characters, the http headers encode strangely and do not decode to the password I input. Important: see bottom of this for extracted data from wireshark!

Run the command 'rclone version' and share the full output of the command.

$ rclone version
rclone v1.72.1
- os/version: arch (64 bit)
- os/kernel: 6.18.5-arch1-1 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.25.5 X:nodwarf5
- go/linking: dynamic
- go/tags: none

Which cloud storage system are you using? (eg Google Drive)

This appears to apply to any generic WebDav server, though the problem arose when testing out the “copyparty” tool.

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone mount a-dav: /mnt/webdavtest/ --no-check-certificate

The rclone config contents with secrets removed.

Note: as I am using test strings I am not redacting this information.

[a-dav]
type = webdav
user = abcdefghijklmnopqrstuvwxyz
pass = abcdefghijklmnopqrstuvwxyz
url = http://127.0.0.1:3923

A log from the command with the -vv flag

2026/01/21 01:18:46 DEBUG : rclone: Version "v1.72.1" starting with parameters ["rclone" "mount" "a-dav:" "/mnt/webdavtest/" "--no-check-certificate" "-vv"]
2026/01/21 01:18:46 DEBUG : Creating backend with remote "a-dav:"
2026/01/21 01:18:46 DEBUG : Using config file from "/home/elle/.config/rclone/rclone.conf"
2026/01/21 01:18:46 DEBUG : found headers: 
2026/01/21 01:18:46 INFO  : webdav root '': poll-interval is not supported by this remote
2026/01/21 01:18:46 NOTICE: webdav root '': --vfs-cache-mode writes or full is recommended for this remote as it can't stream
2026/01/21 01:18:46 DEBUG : webdav root '': Mounting on "/mnt/webdavtest/"
2026/01/21 01:18:46 DEBUG : Root: 
2026/01/21 01:18:46 DEBUG : >Root: node=/, err=<nil>
2026/01/21 01:18:46 DEBUG : Statfs: 
2026/01/21 01:18:46 DEBUG : Statfs: 
2026/01/21 01:18:46 ERROR : webdav root '': Statfs failed: <pre>authenticate
URL:: 401 Unauthorized
2026/01/21 01:18:46 DEBUG : >Statfs: stat={Blocks:4503599627370495 Bfree:4503599627370495 Bavail:4503599627370495 Files:1000000000 Ffree:1000000000 Bsize:4096 Namelen:255 Frsize:4096}, err=<nil>
2026/01/21 01:18:46 DEBUG : >Statfs: stat={Blocks:274877906944 Bfree:274877906944 Bavail:274877906944 Files:1000000000 Ffree:1000000000 Bsize:4096 Namelen:255 Frsize:4096}, err=<nil>
^C2026/01/21 01:18:50 INFO  : Signal received: interrupt
2026/01/21 01:18:50 NOTICE: /mnt/webdavtest/: Unmounted rclone mount
2026/01/21 01:18:50 INFO  : Exiting...

Naturally, this is a simple 401 error. Not much to see here. However, booting up wireshark and monitoring the connection shows this interesting snippet:

Authorization: Basic YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo6cWsL\r\n
Decoding this string gives us a wrong username:password combo:

abcdefghijklmnopqrstuvwxyz:qk\v (note that \v is actually character 0x000b, vertical tabulation character. it’s basically junk.)

If I perform the same actions as above with a single letter shorter password, I get something more valid:

Authorization: Basic YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo6YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eQ==\r\n
which decodes to: abcdefghijklmnopqrstuvwxyz:abcdefghijklmnopqrstuvwxy, a valid http basic auth header.

Furthermore in my testing, the username length did not appear to matter, I attempted with a length up to 62 characters; The username always decodes fine, but the password portion of the auth string does not encode at 26 characters or more.

Other WebDAV tools such as KDE dolphin send a header that decodes properly even at a length of 62+ characters for each:

Authorization: Basic YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXpBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWjEyMzQ1Njc4OTA6YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXpBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWjEyMzQ1Njc4OTA=\r\n

Decodes to:

Credentials: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890:abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

Per my understanding of http headers, for the most part there is no max limit set by the standard, but some tools such as apache include guidance or parameters of 255 max chars for both username and password. 25 characters seems short for a maximum length of a field like password.

It’s worth noting that my intent is to use this feature over https and I am experiencing an apparently similar issue there, but I lack the skill with wireshark to decode https traffic at this time. I have no reason, based on my understanding of the above, to believe that http vs https would make a difference in this situation.

In the interest of full disclosure, here is the link to the github where this issue was first reported with copyparty and my initial tests.

2

welcome to the forum,

not sure this is a valid example of your issue, but this works for me

rclone serve webdav ./zork --user=abcdefghijklmnopqrstuvwxyz --pass=abcdefghijklmnopqrstuvwxyz -vv
DEBUG : rclone: Version "v1.72.1" starting with parameters ["rclone" "serve" "webdav" "./zork" "--user=abcdefghijklmnopqrstuvwxyz" "--pass=abcdefghijklmnopqrstuvwxyz" "-vv"]
DEBUG : Creating backend with remote "./zork"
DEBUG : Using config file from "/home/user01/.config/rclone/rclone.conf"
DEBUG : fs cache: renaming cache item "./zork" to be canonical "/home/user01/zork"
INFO  : Local file system at /home/user01/zork: poll-interval is not supported by this remote
INFO  : Using --user abcdefghijklmnopqrstuvwxyz --pass XXXX as authenticated user
NOTICE: Local file system at /home/user01/zork: WebDav Server started on [http://127.0.0.1:8080/]

rclone ls ":webdav,url='http://127.0.0.1:8080',user=abcdefghijklmnopqrstuvwxyz,pass=dqD-NsFIvJoHlk1V2hZwe5p0ELs-mX8bNwpwoXHR7akFVzd_okuF1NFh:" --dump=auth --log-level=DEBUG --log-file=log.txt
        0 file.ext

log.txt

2026/01/21 10:46:27 DEBUG : rclone: Version "v1.72.1" starting with parameters ["rclone" "ls" ":webdav,url='http://127.0.0.1:8080',user=abcdefghijklmnopqrs>
2026/01/21 10:46:27 DEBUG : Creating backend with remote ":webdav,url='http://127.0.0.1:8080',user=abcdefghijklmnopqrstuvwxyz,pass=dqD-NsFIvJoHlk1V2hZwe5p0>
2026/01/21 10:46:27 DEBUG : Using config file from "/home/user01/.config/rclone/rclone.conf"
2026/01/21 10:46:27 DEBUG : :webdav: detected overridden config - adding "{Ms_uj}" suffix to name
2026/01/21 10:46:27 DEBUG : found headers:
2026/01/21 10:46:27 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and>
2026/01/21 10:46:27 DEBUG : fs cache: renaming cache item ":webdav,url='http://127.0.0.1:8080',user=abcdefghijklmnopqrstuvwxyz,pass=dqD-NsFIvJoHlk1V2hZwe5p>
2026/01/21 10:46:27 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2026/01/21 10:46:27 DEBUG : HTTP REQUEST (req 0xc0000f4500)
2026/01/21 10:46:27 DEBUG : PROPFIND / HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: rclone/v1.72.1
Authorization: Basic YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo6YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo=
Depth: 1
Referer: http://127.0.0.1:8080/
Accept-Encoding: gzip

2026/01/21 10:46:27 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2026/01/21 10:46:27 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2026/01/21 10:46:27 DEBUG : HTTP RESPONSE (req 0xc0000f4500)
2026/01/21 10:46:27 DEBUG : HTTP/1.1 207 Multi-Status
Content-Length: 1661
Accept-Ranges: bytes
Content-Type: text/xml; charset=utf-8
Date: Wed, 21 Jan 2026 15:46:27 GMT
Server: rclone/v1.72.1

2026/01/21 10:46:27 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2026/01/21 10:46:27 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2026/01/21 10:46:27 DEBUG : HTTP REQUEST (req 0xc0000f4780)
2026/01/21 10:46:27 DEBUG : PROPFIND /zork/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: rclone/v1.72.1
Authorization: Basic YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo6YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo=
Depth: 1
Referer: http://127.0.0.1:8080/
Accept-Encoding: gzip

2026/01/21 10:46:27 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2026/01/21 10:46:27 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2026/01/21 10:46:27 DEBUG : HTTP RESPONSE (req 0xc0000f4780)
2026/01/21 10:46:27 DEBUG : HTTP/1.1 207 Multi-Status
Content-Length: 1187
Accept-Ranges: bytes
Content-Type: text/xml; charset=utf-8
Date: Wed, 21 Jan 2026 15:46:27 GMT
Server: rclone/v1.72.1

2026/01/21 10:46:27 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2026/01/21 10:46:27 DEBUG : 7 go routines active
3

Sorry, to clarify, this is with rclone functioning as webdav client to mount a webdav like a file system - I am connecting to another webdav server.

Nonetheless you have raised a good point. The only way I have verified this behavior is when using the rclone mount functionality. What happens when you attenpt to mount or copy to that server you set up there?

4

yes, i understand that. my example is using rclone for both the client and the server
i think what i posted shows this is a not a rclone issue??

note: i just re-edit my last post, with more details

fwiw, please test simple command such as rclone ls instead of complex rclone mount

is that the real password?

5

That is the real password, although I tested with a number of variations on passwords over 25 characters lenght and encountered a similar issue. the original password to the original server where I encountered this is a much longer string, but since I could duplicate this using a dummy pw and server I shared that. (eg. for me this issue showed up in both remote https://foo.bar and a local http server running on the loopback interface, but since the server at the other end is https I wasn't able to track that.)

I was unaware of the flags you showed that included the encoded auth string. I will make some attempts surrounding that this afternoon and report back my findings. Thanks for your time.

6

In the rclone config file, human-readable passwords are obscured

rclone obscure abcdefghijklmnopqrstuvwxyz
NI-ORWqirI17L8MKzB_ORJDLCmx9yPF5dD0mza55u4rC06T7RSc-NuoR

[a-dav]
type = webdav
user = abcdefghijklmnopqrstuvwxyz
pass = NI-ORWqirI17L8MKzB_ORJDLCmx9yPF5dD0mza55u4rC06T7RSc-NuoR
url = http://127.0.0.1:3923

and then try

rclone ls a-dav:

7

That doesn't seem to be the case for me as I am running cat ~/.config/rclone/rclone.conf in the above example after running the command to create [a-dav]. Perhaps this points to a secondary issue either with my install or with how I am creating the conf file with rclone. I will share the exact command I used for that when I have a chance.

I see your edits and will attempt these steps.

8

Not a lot of time to test other stuff, but I can verify that for whatever reason, the .conf file is not being created obscured:

mindset@octopus: ~/.config/rclone
$ rclone config create a-dav webdav url=http://127.0.0.1:3923 user=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 pass=aabcdefghijklmnopqrstuvwxy
2026/01/21 10:15:16 NOTICE: Config file "/home/mindset/.config/rclone/rclone.conf" not found - using defaults
[a-dav]
type = webdav
pass = *** ENCRYPTED ***
url = http://127.0.0.1:3923
user = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
 
mindset@octopus: ~/.config/rclone
$ cat rclone.conf                                                                                                                                  [a-dav]
type = webdav
pass = aabcdefghijklmnopqrstuvwxy
url = http://127.0.0.1:3923
user = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890

tried with a few other variations on the password of the same command; it does not appear the password is encoded regardless of length. Did not have time to try other items, will do so at lunch.

9

change

the aa looks like a typo

in any event, i already explained, need to use obscured passwords in the config file

  1. edit the rclone.conf in a text editor
  2. change pass = aabcdefghijklmnopqrstuvwxy
    to
    pass = NI-ORWqirI17L8MKzB_ORJDLCmx9yPF5dD0mza55u4rC06T7RSc-NuoR
  3. test again
10

Scratch that, I had mistyped my commands! It seems ok if the password is shorter than 26 characters (note that a couple times I forgot to remove the old conf file, but it does not appear to matter.

mindset@octopus: ~/.config/rclone
$ rclone config create a-dav webdav url=http://127.0.0.1:3923 user=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 pass=abcdefghijklmnopqrstuvwxy
[a-dav]
type = webdav
url = http://127.0.0.1:3923
user = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
pass = *** ENCRYPTED ***
 
mindset@octopus: ~/.config/rclone
$ cat rclone.conf                                                                                                                                  [10:22:37]
[a-dav]
type = webdav
url = http://127.0.0.1:3923
user = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
pass = 3ti5wui2RqR8zSr64BaAQ7XA_FwEmc483EaZ3ZNc-Njsg00xawxs71o

 
mindset@octopus: ~/.config/rclone
$ rclone config create a-dav webdav url=http://127.0.0.1:3923 user=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 pass=abcdefghijklmnopqrstuvwxyz
[a-dav]
type = webdav
url = http://127.0.0.1:3923
user = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
pass = *** ENCRYPTED ***
 
mindset@octopus: ~/.config/rclone
$ cat rclone.conf                                                                                                                                  [10:22:41]
[a-dav]
type = webdav
url = http://127.0.0.1:3923
user = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
pass = abcdefghijklmnopqrstuvwxyz

 
mindset@octopus: ~/.config/rclone
$ rm rclone.conf                                                                                                                                   [10:22:42]
 
mindset@octopus: ~/.config/rclone
$ rclone config create a-dav webdav url=http://127.0.0.1:3923 user=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 pass=abcdefghijklmnopqrstuvwxyz
2026/01/21 10:23:21 NOTICE: Config file "/home/mindset/.config/rclone/rclone.conf" not found - using defaults
[a-dav]
type = webdav
url = http://127.0.0.1:3923
user = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
pass = *** ENCRYPTED ***
 
mindset@octopus: ~/.config/rclone
$ cat rclone.conf                                                                                                                                  [10:23:21]
[a-dav]
type = webdav
url = http://127.0.0.1:3923
user = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
pass = abcdefghijklmnopqrstuvwxyz

 
mindset@octopus: ~/.config/rclone
$ rm rclone.conf                                                                                                                                   [10:23:24]
 
mindset@octopus: ~/.config/rclone
$ rclone config create a-dav webdav url=http://127.0.0.1:3923 user=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 pass=abcdefghijklmnopqrstuvwxy
2026/01/21 10:23:31 NOTICE: Config file "/home/mindset/.config/rclone/rclone.conf" not found - using defaults
[a-dav]
type = webdav
user = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
pass = *** ENCRYPTED ***
url = http://127.0.0.1:3923
 
mindset@octopus: ~/.config/rclone
$ cat rclone.conf                                                                                                                                  [10:23:31]
[a-dav]
type = webdav
user = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
pass = ZCVjNM8xr63odvyBpEOPlrnGlk3O_b9UjNud0zkTeLeN-K8hTQe3yDc
url = http://127.0.0.1:3923

 
mindset@octopus: ~/.config/rclone
$                                                                                                                                                  [10:23:34]
FAIL

mindset@octopus: ~/.config/rclone
$ rm rclone.conf                                                                                                                                   [10:23:44]
 
mindset@octopus: ~/.config/rclone
$ rclone config create a-dav webdav url=http://127.0.0.1:3923 user=short pass=abcdefghijklmnopqrstuvwxy                                            [10:23:56]
2026/01/21 10:24:06 NOTICE: Config file "/home/mindset/.config/rclone/rclone.conf" not found - using defaults
[a-dav]
type = webdav
user = short
pass = *** ENCRYPTED ***
url = http://127.0.0.1:3923
 
mindset@octopus: ~/.config/rclone
$ cat rclone.conf                                                                                                                                  [10:24:06]
[a-dav]
type = webdav
user = short
pass = U306MsfDibxxWRt4mNs8GdrlFTbTNhQBjKvsXcD2xZnVjAu5xC6SVNU
url = http://127.0.0.1:3923

 
mindset@octopus: ~/.config/rclone
$ rclone config create a-dav webdav url=http://127.0.0.1:3923 user=short pass=abcdefghijklmnopqrstuvwxyz                                           [10:24:09]
[a-dav]
type = webdav
pass = *** ENCRYPTED ***
url = http://127.0.0.1:3923
user = short
 
mindset@octopus: ~/.config/rclone
$ cat rclone.conf                                                                                                                                  [10:24:16]
[a-dav]
type = webdav
pass = abcdefghijklmnopqrstuvwxyz
url = http://127.0.0.1:3923
user = short
11

If the password parameter is 22 characters or longer and consists only of base64 characters then rclone can get confused about whether the password is already obscured or not and put unobscured passwords into the config file.
If you want to be 100% certain that the passwords get obscured then use the --obscure flag

12

aha! that answers it! I will test and verify, but I think you’ve pinpointed my “bug”

13

Yes, this did it, I was unaware of this flag or potential problem. My original password was also alphanumeric with _ and -, which are of course part of the base64 URL-safe char set.

Verified:

  • Using a manually obscured password as noted previously, worked.
  • Using the –obscure flag as noted previously, worked.
  • Changing my password to include a ! or any other character not in the base64 char set, worked.

Thanks for your time and patience @asdffdsa !

1 Like
14

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.