Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 15448780DB7
	for <~alpine/apk-tools@lists.alpinelinux.org>; Thu, 16 Dec 2021 22:35:25 +0000 (UTC)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
	by mailout.nyi.internal (Postfix) with ESMTP id 8E2005C0161;
	Thu, 16 Dec 2021 17:35:23 -0500 (EST)
Received: from imap46 ([10.202.2.96])
  by compute5.internal (MEProxy); Thu, 16 Dec 2021 17:35:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jfarr.cc; h=
	mime-version:message-id:in-reply-to:references:date:from:to:cc
	:subject:content-type; s=fm2; bh=mRBpFpUPMX0trhXu3pQvZOzwpj4Tfgz
	ubzIv3NXDOVA=; b=nQ1GVqDF1m7yb5kaRIONPYChC9BSJ0UAX+1VWpjTFzSGeMd
	Az2pipYEnw8T5OIzFmeNHO3AibGJbzH6nV4GOD3KrFTQ/CObQUWfulPKuUVlevG3
	n8oQz/g/DyDsUfU6VoD8IKpGhl14gLpuwgapgRfcY0T07gLXN/dJ/AuqCcvqUNNX
	RLyGv+i6TEli0qQ9kDWehPXkg9X2a1P0rNcz+f+Wfxqe1C6VfYhEgJVNIlR3DMmR
	Ry58uIgoTFuDlA0Slq0mwis8w9FSx0xvr/3xFpYl8L735XqjGo5WQFf6MhL93EEY
	c4dyLAGP/3Lb8bN9Ks4wdvHOoZJK1S2iboRWcHQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=mRBpFp
	UPMX0trhXu3pQvZOzwpj4TfgzubzIv3NXDOVA=; b=hrz4Ul5GXmUgtu/IcavYIt
	Lr+U9o+cWyX+fJRZJGVeEHMdClvhCd7y1snkRYX4cjtsHvwhVgepkmxbHCzh/PaT
	+rOHI5u+tPn2W+7DJNRZM4OacGCzrtYt5voETKQEBty2ScuX9zQ3MxV0ucCAzhbt
	C0hIl6448nwS66bSDtbyCo0bHg9Sp+gzhzRKOeCRmr4FuggYxIe2rjhYhKEue1xx
	wyU9MM1HPhmWTV4BeVhCdT7TeQQ/J1J+IEZbePCDBznAPfJU25SOu2DfdzgRKqoQ
	J/ifuyj0sCJ2vkNpxJ4fSWx/WHQgKhQ0KrklC0L77/IhI0gMxjYBKDpENjhMqCJA
	==
X-ME-Sender: <xms:K7-7YfWlAKM0hmuI7-gYdiB4BWGSE3cwvf6YIxIA7aPfcBa56fK9DA>
    <xme:K7-7YXnjMrg712_5OS1qpg6rzaSftZObfpxdscQPGKEK7N5PqECkVdS4LFPL14sDQ
    aVHvVNvHn3kc1-_lVo>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrleeggdduieegucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    gfrhhlucfvnfffucdludehmdenucfjughrpefofgggkfgjfhffhffvufgtsehttdertder
    redtnecuhfhrohhmpedflfgrnhcujfgvnhgurhhikhcuhfgrrhhrfdcuoehgihhtsehjfh
    grrhhrrdgttgeqnecuggftrfgrthhtvghrnhepheeuvdffkeeflefgkeffteeiueeffeeg
    fffgueduueeggfeifefhkedufedtledunecuvehluhhsthgvrhfuihiivgeptdenucfrrg
    hrrghmpehmrghilhhfrhhomhepghhithesjhhfrghrrhdrtggt
X-ME-Proxy: <xmx:K7-7Ybbo9b7S7QAu0J7CvBxHLmW9AAMa1Duh16j2m3xv0t8ZqxjW4Q>
    <xmx:K7-7YaUFc97PYcLqpWE6jQhCpYaGNPHAEgDm3y8cnvbwQyakl3XtDQ>
    <xmx:K7-7YZlpa5QD5ibg08ODo43yckoe8tgJM1fmYNNS-hWlBgJwroy8zQ>
    <xmx:K7-7YXSsGNHXY0pVO4zLcjWOfQajHhjN678FZPiR2nKzlylZ3xIAZw>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 623031EE007B; Thu, 16 Dec 2021 17:35:23 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-4524-g5e5d2efdba-fm-20211214.001-g5e5d2efd
Mime-Version: 1.0
Message-Id: <ee832554-1af5-47cd-a60a-81903b2e7a84@www.fastmail.com>
In-Reply-To: <20211215082220.71dbc443@vostro>
References: <20211213212929.925-1-git@jfarr.cc>
 <20211214213430.029b34c5@vostro>
 <e4a2e0eb-762f-41e7-92ce-0c58023f280d@www.fastmail.com>
 <20211215082220.71dbc443@vostro>
Date: Thu, 16 Dec 2021 23:34:38 +0100
From: "Jan Hendrik Farr" <git@jfarr.cc>
To: "Timo Teras" <timo.teras@iki.fi>
Cc: ~alpine/apk-tools@lists.alpinelinux.org
Subject: Re: [PATCH 1/1] libfetch: Allow special characters in http basic auth
Content-Type: text/plain

Hi,

this version will allow unencoded colons in the password. I modified
fetch_pctdecode to allow the callee to specify at what characters it
should stop. For the username it stops at ":" or "@" and for the
password just at "@". I prefer this behavior over giving people an error.
While it will allow some invalid credentials this is actually the same
behavior as curl + this won't brake current setups.

With kind regards, Jan






Currently, special characters in the username or password are not
handled correctly (when set in $http_proxy and $https_proxy). They
should be percent encoded in the environment variables then decoded
by libfetch and reencoded using base64. This implementation is mainly
taken from the current FreeBSD source and adapted to the apk-tools
version of libfetch.
---
 libfetch/fetch.c | 80 ++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 67 insertions(+), 13 deletions(-)

diff --git a/libfetch/fetch.c b/libfetch/fetch.c
index 45c92aa..526ba86 100644
--- a/libfetch/fetch.c
+++ b/libfetch/fetch.c
@@ -354,7 +354,58 @@ fetchCopyURL(const struct url *src)
 }

 /*
- * Split an URL into components. URL syntax is:
+ * Return value of the given hex digit.
+ */
+static int
+fetch_hexval(char ch)
+{
+
+       if (ch >= '0' && ch <= '9')
+               return (ch - '0');
+       else if (ch >= 'a' && ch <= 'f')
+               return (ch - 'a' + 10);
+       else if (ch >= 'A' && ch <= 'F')
+               return (ch - 'A' + 10);
+       return (-1);
+}
+
+/*
+ * Decode percent-encoded URL component from src into dst, stopping at end
+ * of string or one of the characters contained in brk.  Returns a pointer
+ * to the unhandled part of the input string (null terminator, specified
+ * character).  No terminator is written to dst (it is the caller's
+ * responsibility).
+ */
+static const char *
+fetch_pctdecode(char *dst, const char *src, const char *brk, size_t dlen)
+{
+       int d1, d2;
+       char c;
+       const char *s;
+
+
+
+       for (s = src; *s != '\0' && !strchr(brk, *s); s++) {
+               if (s[0] == '%' && (d1 = fetch_hexval(s[1])) >= 0 &&
+                   (d2 = fetch_hexval(s[2])) >= 0 && (d1 > 0 || d2 > 0)) {
+                       c = d1 << 4 | d2;
+                       s += 2;
+               } else if (s[0] == '%') {
+                       /* Invalid escape sequence. */
+                       return (NULL);
+               } else {
+                       c = *s;
+               }
+               if (!dlen)
+                       return NULL;
+               dlen--;
+               *dst++ = c;
+       }
+       return (s);
+}
+
+/*
+ * Split a URL into components. URL syntax is:
  * [method:/][/[user[:pwd]@]host[:port]/][document]
  * This almost, but not quite, RFC1738 URL syntax.
  */
@@ -428,25 +479,28 @@ find_user:
        p = strpbrk(URL, "/@");
        if (p != NULL && *p == '@') {
                /* username */
-               for (q = URL, i = 0; (*q != ':') && (*q != '@'); q++) {
-                       if (i >= URL_USERLEN) {
-                               url_seterr(URL_BAD_AUTH);
-                               goto ouch;
-                       }
-                       u->user[i++] = *q;
+               q = URL;
+               q = fetch_pctdecode(u->user, q, ":@", URL_USERLEN);
+               if (q == NULL) {
+                       url_seterr(URL_BAD_AUTH);
+                       goto ouch;
                }

                /* password */
                if (*q == ':') {
-                       for (q++, i = 0; (*q != '@'); q++) {
-                               if (i >= URL_PWDLEN) {
-                                       url_seterr(URL_BAD_AUTH);
-                                       goto ouch;
-                               }
-                               u->pwd[i++] = *q;
+                       q = fetch_pctdecode(u->pwd, q + 1, "@", URL_PWDLEN);
+
+                       if (q == NULL) {
+                               url_seterr(URL_BAD_AUTH);
+                               goto ouch;
                        }
                }

+               if (*q != '@') {
+                       url_seterr(URL_BAD_AUTH);
+                       goto ouch;
+               }
+
                p++;
        } else {
                p = URL;
--
2.34.1