Feature #10652
closed
Automatic detection of user and password from env
Added by xfalcox (Rafael Silva) almost 10 years ago.
Updated almost 10 years ago.
Description
Get user and pass from http_proxy variable when specified, so that NET::HTTP can handle connections behind authenticated proxies automatically.
I'm new, so please correct me if this isn't the correct way to go.
Also, I've open a PR on github at [[https://github.com/ruby/ruby/pull/763]]
Files
- Status changed from Open to Assigned
- Assignee set to akr (Akira Tanaka)
- Priority changed from Normal to 3
Looks like a repeated request to my eyes.
- Assignee changed from akr (Akira Tanaka) to ayumin (Ayumu AIZAWA)
- Priority changed from 3 to Normal
ayumin committed the patch at r49118.
However, I think there should be security consideration.
Storing secret information in environment variables is not a trivially safe behavior.
For example, I read two articles recently:
I'm sorry that I missed this issue. However I think it's reasonable to storing the credential into env.
I believe that the ruby should provide way to access credential which is put on environment as a tool. Using this feature or not is depends on the user.
But if majority do not agree to enable this pach, I'm ok to reverting it soon.
I confirmed RFC1738, it says "No user name or password is allowed." for HTTP.
So, I will revert r49118, sorry.
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Applied in changeset r49124.
Revert r49118 [Feature #10652]
I've sent the patch because this behavior is the expected since many unix tools (curl, wget, apt-get) and programming languagues (nodejs, python) respect the environment variable http_proxy.
This makes very hard to use some ruby tools in the enterprise world, where the proxy is required, and you try to use a gem or program that didn't care to be proxy compliant.
curl, wget and apt-get supports storing passwords in .curlrc, .wgetrc, .netrc or apt.conf.
So users can store password in a file if environment variable is not appropriate.
Your patch only supports environment variable.
It encourages users to store passwords in a environment variabe even if it is not appropriate.
I think the missing piece is a library for password store for storing passwords in a file.
(The file should be possible to be encrypted.)
Sorry to insist on this, but what about other languages like python and nodejs working fine while ruby fails with "407 Proxy authentication required"?
From an user point of view it's a unexpected behavior, since ruby reads the string, and ignores some parts of it (user & password), while other languages work out of box in his enterprise setup.
This is very annoying when you just want to consume a gem but the author didn't include explict proxy support, and net/http doesn't provide it either.
- Related to Feature #12921: Retrieve user and password for proxy from env added
Also available in: Atom
PDF
Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0