Automatic detection of user and password from env
Get user and pass from http_proxy variable when specified, so that NET::HTTP can handle connections behind authenticated proxies automatically.
I'm new, so please correct me if this isn't the correct way to go.
Also, I've open a PR on github at [[[https://github.com/ruby/ruby/pull/763]]]
#2 [ruby-core:67305] Updated by akr (Akira Tanaka) about 3 years ago
- Assignee changed from akr (Akira Tanaka) to ayumin (Ayumu AIZAWA)
- Priority changed from 3 to Normal
ayumin committed the patch at r49118.
However, I think there should be security consideration.
Storing secret information in environment variables is not a trivially safe behavior.
For example, I read two articles recently:
#3 [ruby-core:67306] Updated by ayumin (Ayumu AIZAWA) about 3 years ago
I'm sorry that I missed this issue. However I think it's reasonable to storing the credential into env.
I believe that the ruby should provide way to access credential which is put on environment as a tool. Using this feature or not is depends on the user.
But if majority do not agree to enable this pach, I'm ok to reverting it soon.
#6 [ruby-core:67310] Updated by xfalcox (Rafael Silva) about 3 years ago
I've sent the patch because this behavior is the expected since many unix tools (curl, wget, apt-get) and programming languagues (nodejs, python) respect the environment variable http_proxy.
This makes very hard to use some ruby tools in the enterprise world, where the proxy is required, and you try to use a gem or program that didn't care to be proxy compliant.
#7 [ruby-core:67314] Updated by akr (Akira Tanaka) about 3 years ago
curl, wget and apt-get supports storing passwords in .curlrc, .wgetrc, .netrc or apt.conf.
So users can store password in a file if environment variable is not appropriate.
Your patch only supports environment variable.
It encourages users to store passwords in a environment variabe even if it is not appropriate.
I think the missing piece is a library for password store for storing passwords in a file.
(The file should be possible to be encrypted.)
#8 [ruby-core:67868] Updated by xfalcox (Rafael Silva) about 3 years ago
Sorry to insist on this, but what about other languages like python and nodejs working fine while ruby fails with "407 Proxy authentication required"?
From an user point of view it's a unexpected behavior, since ruby reads the string, and ignores some parts of it (user & password), while other languages work out of box in his enterprise setup.
This is very annoying when you just want to consume a gem but the author didn't include explict proxy support, and net/http doesn't provide it either.