Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 15448780DB7 for <~alpine/apk-tools@lists.alpinelinux.org>; Thu, 16 Dec 2021 22:35:25 +0000 (UTC) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 8E2005C0161; Thu, 16 Dec 2021 17:35:23 -0500 (EST) Received: from imap46 ([10.202.2.96]) by compute5.internal (MEProxy); Thu, 16 Dec 2021 17:35:23 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jfarr.cc; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm2; bh=mRBpFpUPMX0trhXu3pQvZOzwpj4Tfgz ubzIv3NXDOVA=; b=nQ1GVqDF1m7yb5kaRIONPYChC9BSJ0UAX+1VWpjTFzSGeMd Az2pipYEnw8T5OIzFmeNHO3AibGJbzH6nV4GOD3KrFTQ/CObQUWfulPKuUVlevG3 n8oQz/g/DyDsUfU6VoD8IKpGhl14gLpuwgapgRfcY0T07gLXN/dJ/AuqCcvqUNNX RLyGv+i6TEli0qQ9kDWehPXkg9X2a1P0rNcz+f+Wfxqe1C6VfYhEgJVNIlR3DMmR Ry58uIgoTFuDlA0Slq0mwis8w9FSx0xvr/3xFpYl8L735XqjGo5WQFf6MhL93EEY c4dyLAGP/3Lb8bN9Ks4wdvHOoZJK1S2iboRWcHQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=mRBpFp UPMX0trhXu3pQvZOzwpj4TfgzubzIv3NXDOVA=; b=hrz4Ul5GXmUgtu/IcavYIt Lr+U9o+cWyX+fJRZJGVeEHMdClvhCd7y1snkRYX4cjtsHvwhVgepkmxbHCzh/PaT +rOHI5u+tPn2W+7DJNRZM4OacGCzrtYt5voETKQEBty2ScuX9zQ3MxV0ucCAzhbt C0hIl6448nwS66bSDtbyCo0bHg9Sp+gzhzRKOeCRmr4FuggYxIe2rjhYhKEue1xx wyU9MM1HPhmWTV4BeVhCdT7TeQQ/J1J+IEZbePCDBznAPfJU25SOu2DfdzgRKqoQ J/ifuyj0sCJ2vkNpxJ4fSWx/WHQgKhQ0KrklC0L77/IhI0gMxjYBKDpENjhMqCJA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrleeggdduieegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdludehmdenucfjughrpefofgggkfgjfhffhffvufgtsehttdertder redtnecuhfhrohhmpedflfgrnhcujfgvnhgurhhikhcuhfgrrhhrfdcuoehgihhtsehjfh grrhhrrdgttgeqnecuggftrfgrthhtvghrnhepheeuvdffkeeflefgkeffteeiueeffeeg fffgueduueeggfeifefhkedufedtledunecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomhepghhithesjhhfrghrrhdrtggt X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 623031EE007B; Thu, 16 Dec 2021 17:35:23 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-4524-g5e5d2efdba-fm-20211214.001-g5e5d2efd Mime-Version: 1.0 Message-Id: In-Reply-To: <20211215082220.71dbc443@vostro> References: <20211213212929.925-1-git@jfarr.cc> <20211214213430.029b34c5@vostro> <20211215082220.71dbc443@vostro> Date: Thu, 16 Dec 2021 23:34:38 +0100 From: "Jan Hendrik Farr" To: "Timo Teras" Cc: ~alpine/apk-tools@lists.alpinelinux.org Subject: Re: [PATCH 1/1] libfetch: Allow special characters in http basic auth Content-Type: text/plain Hi, this version will allow unencoded colons in the password. I modified fetch_pctdecode to allow the callee to specify at what characters it should stop. For the username it stops at ":" or "@" and for the password just at "@". I prefer this behavior over giving people an error. While it will allow some invalid credentials this is actually the same behavior as curl + this won't brake current setups. With kind regards, Jan Currently, special characters in the username or password are not handled correctly (when set in $http_proxy and $https_proxy). They should be percent encoded in the environment variables then decoded by libfetch and reencoded using base64. This implementation is mainly taken from the current FreeBSD source and adapted to the apk-tools version of libfetch. --- libfetch/fetch.c | 80 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 67 insertions(+), 13 deletions(-) diff --git a/libfetch/fetch.c b/libfetch/fetch.c index 45c92aa..526ba86 100644 --- a/libfetch/fetch.c +++ b/libfetch/fetch.c @@ -354,7 +354,58 @@ fetchCopyURL(const struct url *src) } /* - * Split an URL into components. URL syntax is: + * Return value of the given hex digit. + */ +static int +fetch_hexval(char ch) +{ + + if (ch >= '0' && ch <= '9') + return (ch - '0'); + else if (ch >= 'a' && ch <= 'f') + return (ch - 'a' + 10); + else if (ch >= 'A' && ch <= 'F') + return (ch - 'A' + 10); + return (-1); +} + +/* + * Decode percent-encoded URL component from src into dst, stopping at end + * of string or one of the characters contained in brk. Returns a pointer + * to the unhandled part of the input string (null terminator, specified + * character). No terminator is written to dst (it is the caller's + * responsibility). + */ +static const char * +fetch_pctdecode(char *dst, const char *src, const char *brk, size_t dlen) +{ + int d1, d2; + char c; + const char *s; + + + + for (s = src; *s != '\0' && !strchr(brk, *s); s++) { + if (s[0] == '%' && (d1 = fetch_hexval(s[1])) >= 0 && + (d2 = fetch_hexval(s[2])) >= 0 && (d1 > 0 || d2 > 0)) { + c = d1 << 4 | d2; + s += 2; + } else if (s[0] == '%') { + /* Invalid escape sequence. */ + return (NULL); + } else { + c = *s; + } + if (!dlen) + return NULL; + dlen--; + *dst++ = c; + } + return (s); +} + +/* + * Split a URL into components. URL syntax is: * [method:/][/[user[:pwd]@]host[:port]/][document] * This almost, but not quite, RFC1738 URL syntax. */ @@ -428,25 +479,28 @@ find_user: p = strpbrk(URL, "/@"); if (p != NULL && *p == '@') { /* username */ - for (q = URL, i = 0; (*q != ':') && (*q != '@'); q++) { - if (i >= URL_USERLEN) { - url_seterr(URL_BAD_AUTH); - goto ouch; - } - u->user[i++] = *q; + q = URL; + q = fetch_pctdecode(u->user, q, ":@", URL_USERLEN); + if (q == NULL) { + url_seterr(URL_BAD_AUTH); + goto ouch; } /* password */ if (*q == ':') { - for (q++, i = 0; (*q != '@'); q++) { - if (i >= URL_PWDLEN) { - url_seterr(URL_BAD_AUTH); - goto ouch; - } - u->pwd[i++] = *q; + q = fetch_pctdecode(u->pwd, q + 1, "@", URL_PWDLEN); + + if (q == NULL) { + url_seterr(URL_BAD_AUTH); + goto ouch; } } + if (*q != '@') { + url_seterr(URL_BAD_AUTH); + goto ouch; + } + p++; } else { p = URL; -- 2.34.1