Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id B7FE078110C for <~alpine/apk-tools@lists.alpinelinux.org>; Tue, 14 Dec 2021 23:22:00 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 027D75C04C7; Tue, 14 Dec 2021 18:22:00 -0500 (EST) Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Tue, 14 Dec 2021 18:22:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jfarr.cc; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm2; bh=b2jtYhF4kqkc+mTpwpC3DUV9BR/Emv0 53ZlYKZFRhPY=; b=C0VADfhR/cDAuwYEj8nT0Z2+E1pV2bGCHdW2JH9K/jjMAtf 1AgoduH4BMobVZ7IOhofxdzIXqlOstwAiTQKTZ7ByWMUpJiKst48ZYLO7SCJAPZc bnFbOTZGG+Kw0TKpqyiFEB2fjQ0xl6/wMzREi6DIKejM/zA/o1du7yaRVUxKCUxu bYvAZYgmVzpsCkJk78xTGT4mGC4jTa5hT9YjytgdFWlqU4LpgwvQZRO6PnohVt4M z/vtrDDc/in1lp+OPiGfDiI8j2mlxKX6S3TJPRdoDt58/4Yu9PZ+vJN5AAEIWR+n BCQOVrdDJ9KTr5iX4fJa3Vuwfzb4/HbU5PlNJ5Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=b2jtYh F4kqkc+mTpwpC3DUV9BR/Emv053ZlYKZFRhPY=; b=S3/EFq6BQorMhpdHpzKLFo 23ObLNxNDqaDl5+O3TQ+XMpbZrGO/VUs3W47efYBTFKeNxpYACN1/yNjEFv82B1p 0/zsRtUx0gKKLxOsmz6Rxbzim5JjZNr8CduYEj6i/xHUroAM9WVKf4V9X/Ay9AUB CfE3L4j8ouTQxjvfLtjR8g4Fg3iEWet7Jxs+OOujHY1T5MVQxDEyxg+7zZRyMLTV jKqLhbF077+V+4VoVEW/4RQbbyCXZy5dibQVxoiiMy0zx8pQxZkga86xAX8BrFAk NNRKADqiIE+Rx1duDkXTT6yeIrLZEhyrkQdLCkZRz+bzjGuIuZpedst5OWD0blaQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrledugddtvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfg hrlhcuvffnffculddutddmnecujfgurhepofgfggfkjghffffhvffutgesthdtredtreer tdenucfhrhhomhepfdflrghnucfjvghnughrihhkucfhrghrrhdfuceoghhithesjhhfrg hrrhdrtggtqeenucggtffrrghtthgvrhhnpeelhfehtdduhedtieehueehvdehkeffiefg hefgudfhheehjeegieelgedtudegfeenucffohhmrghinheprghlphhinhgvlhhinhhugi drohhrghdpghhithhhuhgsrdgtohhmpdhfrhgvvggsshgurdhorhhgpdhivghtfhdrohhr ghdpuddvfedpvgigrghmphhlvgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpehgihhtsehjfhgrrhhrrdgttg X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id A30491EE007D; Tue, 14 Dec 2021 18:21:59 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-4514-g2bdc19e04f-fm-20211209.002-g2bdc19e0 Mime-Version: 1.0 Message-Id: In-Reply-To: <20211214213430.029b34c5@vostro> References: <20211213212929.925-1-git@jfarr.cc> <20211214213430.029b34c5@vostro> Date: Wed, 15 Dec 2021 00:21:34 +0100 From: "Jan Hendrik Farr" To: "Timo Teras" Cc: ~alpine/apk-tools@lists.alpinelinux.org Subject: Re: [PATCH 1/1] libfetch: Allow special characters in http basic auth Content-Type: text/plain Hi, sorry, forgot to wrap my lines. Wrapped version: > Thanks! There is a related bug > https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10775 > > If this get's fixed, add to commit message: ref #10775 > Looks like this patch should fix that issue. > Is the upstream file somewhere? Yes. As I understand, libfetch.c was originally taken from NetBSD (with certain bits taken from FreeBSD): https://github.com/NetBSD/src/blob/trunk/external/bsd/fetch/dist/libfetch/fetch.c That file has no fix for this and has the same issue. I took this fix from the FreeBSD version: https://cgit.freebsd.org/src/tree/lib/libfetch/fetch.c I took the functions fetch_hexval and fetch_pctdecode (both exact copies) from that file and integrated them into fetchParseURL. > minor readability issue; i'd prefer something like: > if (!dlen) > return NULL; > dlen--; > *dst++ = c; > > To make the error path and normal path more obvious. Since fetch_pctdecode is an exact copy from FreeBSD I would prefer to keep it unchanged. > This will terminate also with ':' in the string now. And will handle > the rest of the URL incorrectly, and break password with ':'. Usernames used for http basic authentication are not allowed to contain ":" according RFC7617 section 2.1 (https://datatracker.ietf.org/doc/html/rfc7617#section-2.1). They are allowed to contain other special characters though and the password is allowed to contain special characters including ":". The characters ":", "@", or "/" present in the username or password must be encoded using percent encoding per RFC1738 section 3.1 (https://datatracker.ietf.org/doc/html/rfc1738#section-3.1). So the only ":" present in this part of the string will be the separator between username and password. Example: username: foo@123/bar password: pass1234:hello: A correct proxy setting (or other URL) using these credentials should be encoded by the user as: http://foo%40123%2Fbar:pass1234%3Ahello%3A@example.com libfetch should then decode the percent encoding to obtain the username and password in plain text, append them using a ":", and then encode the result using base64 to be used during http basic authentication: result: Zm9vQDEyMy9iYXI6cGFzczEyMzQ6aGVsbG86 The decoding of the percent encoding is added in this patch and the appending of username and password and base64 encoding is already correctly handled in http.c. Would you prefer for me to open a merge request on your Gitlab instead? If yes: Which branch should I open the request for? With kind regards, Jan