Project

General

Profile

Actions

Bug #17542

closed

Username and password are not decoded if retrieved from env

Added by leipert (Lukas Eipert) almost 4 years ago. Updated over 3 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin18]
[ruby-core:102089]

Description

If someone sets an env variable defining a http_proxy (ENV['http_proxy']), containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.

For example, suppose a username is Y\X and the password is R%S] ?X.
Properly URL encoded the proxy url would be:

http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000

The resulting proxy auth header should be: WVxYOlIlU10gP1g=, but the
getters defined by ruby StdLib URI return a username Y%5CX and
password R%25S%5D%20%3FX, resulting in WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY.
As a result the proxy will deny the request.

Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer. I don't
understand ruby's encoding system and the code is not properly
ruby-esque. Sorry for that and a happy and healthy 2021!


The description above is taken from: https://github.com/ruby/net-http/pull/5

References:

Updated by nagachika (Tomoyuki Chikanaga) over 3 years ago

  • Status changed from Open to Closed
  • Backport changed from 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN to 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED

fixed at 842f00f45212019a3b07f8d8dac269d35beb9efa

Updated by nagachika (Tomoyuki Chikanaga) over 3 years ago

  • Backport changed from 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED to 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN

withdrawn backport request for now.
I think this is a spec change in practice even if the prior behavior violates any standards.
If you have any objections, please let me know.

Actions

Also available in: Atom PDF

Like0
Like0Like0