Bug #17542
closedUsername and password are not decoded if retrieved from env
Description
If someone sets an env variable defining a http_proxy (ENV['http_proxy']), containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.
For example, suppose a username is Y\X
and the password is R%S] ?X
.
Properly URL encoded the proxy url would be:
http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000
The resulting proxy auth header should be: WVxYOlIlU10gP1g=
, but the
getters defined by ruby StdLib URI
return a username Y%5CX
and
password R%25S%5D%20%3FX
, resulting in WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY
.
As a result the proxy will deny the request.
Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer. I don't
understand ruby's encoding system and the code is not properly
ruby-esque. Sorry for that and a happy and healthy 2021!
The description above is taken from: https://github.com/ruby/net-http/pull/5
References:
Updated by nagachika (Tomoyuki Chikanaga) over 3 years ago
- Status changed from Open to Closed
- Backport changed from 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN to 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED
fixed at 842f00f45212019a3b07f8d8dac269d35beb9efa
Updated by nagachika (Tomoyuki Chikanaga) over 3 years ago
- Backport changed from 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED to 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN
withdrawn backport request for now.
I think this is a spec change in practice even if the prior behavior violates any standards.
If you have any objections, please let me know.