Project

General

Profile

Bug #17542

Username and password are not decoded if retrieved from env

Added by leipert (Lukas Eipert) about 2 months ago.

Status:
Open
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin18]
[ruby-core:102089]

Description

If someone sets an env variable defining a http_proxy (ENV['http_proxy']), containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.

For example, suppose a username is Y\X and the password is R%S] ?X.
Properly URL encoded the proxy url would be:

http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000

The resulting proxy auth header should be: WVxYOlIlU10gP1g=, but the
getters defined by ruby StdLib URI return a username Y%5CX and
password R%25S%5D%20%3FX, resulting in WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY.
As a result the proxy will deny the request.

Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer. I don't
understand ruby's encoding system and the code is not properly
ruby-esque. Sorry for that and a happy and healthy 2021!


The description above is taken from: https://github.com/ruby/net-http/pull/5

References:

No data to display

Also available in: Atom PDF