--- a/NEWS	Mon Sep 22 15:53:14 2025 +0200
+++ b/NEWS	Tue Sep 23 10:35:32 2025 +0200
@@ -38,6 +38,7 @@
 * Fix: Orthanc was unable to convert the tags into dicom+json format if the instance contained an 
        empty element in a sequence.  This was preventing access to /dicom-web/../metadata routes and prevented
        visualization in e.g. the Stone Web viewer and OHIF.
+* Fix issue 252: Disallow colons in HTTP basic usernames
 
 
 Version 1.12.9 (2025-08-11)

--- a/OrthancFramework/Sources/HttpServer/HttpServer.cpp	Mon Sep 22 15:53:14 2025 +0200
+++ b/OrthancFramework/Sources/HttpServer/HttpServer.cpp	Tue Sep 23 10:35:32 2025 +0200
@@ -1959,9 +1959,22 @@
   void HttpServer::RegisterUser(const char* username,
                                 const char* password)
   {
+    const std::string s(username);
+    if (s.find(':') != std::string::npos)
+    {
+      /**
+       * "A user-id containing a colon character is invalid, as the
+       * first colon in a user-pass string separates user-id and
+       * password from one another" (cf. issue 252)
+       * https://datatracker.ietf.org/doc/html/rfc7617
+       **/
+      throw OrthancException(ErrorCode_ParameterOutOfRange, "Usernames for HTTP Basic Authentication "
+                             "cannot contain \":\", but found: \"" + s + "\"");
+    }
+
     Stop();
 
-    std::string tag = std::string(username) + ":" + std::string(password);
+    std::string tag = s + ":" + std::string(password);
     std::string encoded;
     Toolbox::EncodeBase64(encoded, tag);
     registeredUsers_.insert(encoded);