[ruby-core:102089] [Ruby master Bug#17542] Username and password are not decoded if retrieved from env

[ruby-core:102089] [Ruby master Bug#17542] Username and password are not decoded if retrieved from env

[ruby-lang]

Issue #17542 has been reported by leipert (Lukas Eipert).

----------------------------------------
Bug #17542: Username and password are not decoded if retrieved from env
https://bugs.ruby-lang.org/issues/17542

* Author: leipert (Lukas Eipert)
* Status: Open
* Priority: Normal
* ruby -v: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin18]
* Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN
----------------------------------------
If someone sets an env variable defining a http_proxy (ENV['http_proxy']), containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.

For example, suppose a username is `Y\X` and the password is `R%S] ?X`.
Properly URL encoded the proxy url would be:

    http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000

The resulting proxy auth header should be: `WVxYOlIlU10gP1g=`, but the
getters defined by ruby StdLib `URI` return a username `Y%5CX` and
password `R%25S%5D%20%3FX`, resulting in `WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY`.
As a result the proxy will deny the request.

Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer. I don't
understand ruby's encoding system and the code is not properly
ruby-esque. Sorry for that and a happy and healthy 2021!

---

The description above is taken from: https://github.com/ruby/net-http/pull/5

References:

- https://gitlab.com/gitlab-org/gitlab/-/issues/289836
- https://bugs.ruby-lang.org/projects/ruby-master/repository/trunk/revisions/58461
- https://bugs.ruby-lang.org/issues/12921



-- 
https://bugs.ruby-lang.org/

[ruby-core:103641] [Ruby master Bug#17542] Username and password are not decoded if retrieved from env

[nagachika00]

Issue #17542 has been updated by nagachika (Tomoyuki Chikanaga).

Backport changed from 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN to 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED
Status changed from Open to Closed

fixed at 842f00f45212019a3b07f8d8dac269d35beb9efa

----------------------------------------
Bug #17542: Username and password are not decoded if retrieved from env
https://bugs.ruby-lang.org/issues/17542#change-91737

* Author: leipert (Lukas Eipert)
* Status: Closed
* Priority: Normal
* ruby -v: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin18]
* Backport: 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED
----------------------------------------
If someone sets an env variable defining a http_proxy (ENV['http_proxy']), containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.

For example, suppose a username is `Y\X` and the password is `R%S] ?X`.
Properly URL encoded the proxy url would be:

    http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000

The resulting proxy auth header should be: `WVxYOlIlU10gP1g=`, but the
getters defined by ruby StdLib `URI` return a username `Y%5CX` and
password `R%25S%5D%20%3FX`, resulting in `WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY`.
As a result the proxy will deny the request.

Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer. I don't
understand ruby's encoding system and the code is not properly
ruby-esque. Sorry for that and a happy and healthy 2021!

---

The description above is taken from: https://github.com/ruby/net-http/pull/5

References:

- https://gitlab.com/gitlab-org/gitlab/-/issues/289836
- https://bugs.ruby-lang.org/projects/ruby-master/repository/trunk/revisions/58461
- https://bugs.ruby-lang.org/issues/12921



-- 
https://bugs.ruby-lang.org/

[ruby-core:104094] [Ruby master Bug#17542] Username and password are not decoded if retrieved from env

[nagachika00]

Issue #17542 has been updated by nagachika (Tomoyuki Chikanaga).

Backport changed from 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED to 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN

withdrawn backport request for now.
I think this is a spec change in practice even if the prior behavior violates any standards.
If you have any objections, please let me know.

----------------------------------------
Bug #17542: Username and password are not decoded if retrieved from env
https://bugs.ruby-lang.org/issues/17542#change-92267

* Author: leipert (Lukas Eipert)
* Status: Closed
* Priority: Normal
* ruby -v: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin18]
* Backport: 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN
----------------------------------------
If someone sets an env variable defining a http_proxy (ENV['http_proxy']), containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.

For example, suppose a username is `Y\X` and the password is `R%S] ?X`.
Properly URL encoded the proxy url would be:

    http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000

The resulting proxy auth header should be: `WVxYOlIlU10gP1g=`, but the
getters defined by ruby StdLib `URI` return a username `Y%5CX` and
password `R%25S%5D%20%3FX`, resulting in `WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY`.
As a result the proxy will deny the request.

Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer. I don't
understand ruby's encoding system and the code is not properly
ruby-esque. Sorry for that and a happy and healthy 2021!

---

The description above is taken from: https://github.com/ruby/net-http/pull/5

References:

- https://gitlab.com/gitlab-org/gitlab/-/issues/289836
- https://bugs.ruby-lang.org/projects/ruby-master/repository/trunk/revisions/58461
- https://bugs.ruby-lang.org/issues/12921



-- 
https://bugs.ruby-lang.org/