Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 2D2957810DD
	for <~alpine/apk-tools@lists.alpinelinux.org>; Tue, 14 Dec 2021 23:10:14 +0000 (UTC)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
	by mailout.nyi.internal (Postfix) with ESMTP id 535C65C00C4;
	Tue, 14 Dec 2021 18:10:12 -0500 (EST)
Received: from imap46 ([10.202.2.96])
  by compute5.internal (MEProxy); Tue, 14 Dec 2021 18:10:12 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jfarr.cc; h=
	mime-version:message-id:in-reply-to:references:date:from:to:cc
	:subject:content-type; s=fm2; bh=OC+PLKOPfW1bVsQipMBnFR5W9JFeEuz
	yX+akv7q+4MY=; b=T1FXXBKSO8Wsmj44FWMn6koi5+Pf40xn2YsWnOeq+0rNmEW
	YkP8Spq0YhD+xeBrwm1TwgvYiqiuXJa7rCe4IyWNGFkWrdnSAqt3G6J+VIOX888g
	ChSz6XcPGaR8Kq4ZdHC1KQPBPiBC+H7LuKPGiEz3A/ng2hkfFq6T/T5jyEFVLJBE
	QW5laFFYcCHHGMzdJQljGH8sJlxJD7lKO2Cs3l0iAYZTAPEmyH/9H1Hx6RcCXriE
	QS8ZS66xDBBf8gZTNC2qSDw1kNu1PUlLtCR9uncpFxJra39ALjhyBkuyrJBZ4P0T
	ENSSudFdUk4e1pKcZAXHn0GVBVSI+Nmbu22+Qtg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-proxy
	:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=OC+PLK
	OPfW1bVsQipMBnFR5W9JFeEuzyX+akv7q+4MY=; b=Q6gWEB+BQ6z+q5Fm+lpYAq
	v2mlGfhV1aNuaWT0zPnat0ZcRcqQr3U7uIDhq9hLL/kGOPJyG9lkx2VjtU8kRYLo
	PWIP2v/BCVbRgzZciJWNabr0waW7KBaBm6qjmlW7MrE+xCEAbr6CrAHcymZguRDq
	9spoSa3w1fSKBOs2Z6xg/s+N+W57Lf8eUsThNm2/KCu7lLNPuQdvqOxzsZybjum5
	5k3ruBsHGcpuPB3XjbTJIYO4xGlcb2lXEYQbqhdwXSBaIhdgefMtd4LAXoYK3DNZ
	GgRLLtK0DjQOO2+1R9RCQGs6jLR52/GgxxCP6Njmewhf0rz1AnlSGQQbo56bF2Kw
	==
X-ME-Sender: <xms:UyS5YfgUcn-LgTdBrSJBKBpyUWUgRKppnR1q5n1XaPZUUT2e0NE_XQ>
    <xme:UyS5YcDZ_26dMeqnuYL5AYhGShvydUIhYRsi6lcCGJdKOxamen32ZFMRoce3bN8cV
    B7HZ8yz0WkqDKOlbDE>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrledtgddujedtucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    gfrhhlucfvnfffucdluddtmdenucfjughrpefofgggkfgjfhffhffvufgtsehttdertder
    redtnecuhfhrohhmpedflfgrnhcujfgvnhgurhhikhcuhfgrrhhrfdcuoehgihhtsehjfh
    grrhhrrdgttgeqnecuggftrfgrthhtvghrnheplefhhedtudehtdeiheeuhedvheekffei
    gfehgfduhfehheejgeeileegtddugeefnecuffhomhgrihhnpegrlhhpihhnvghlihhnuh
    igrdhorhhgpdhgihhthhhusgdrtghomhdpfhhrvggvsghsugdrohhrghdpihgvthhfrdho
    rhhgpdduvdefpdgvgigrmhhplhgvrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenuc
    frrghrrghmpehmrghilhhfrhhomhepghhithesjhhfrghrrhdrtggt
X-ME-Proxy: <xmx:VCS5YfGO8lRB2Cjyo4ifyjA6Wt6Q7zcsV509UD_i4yS6lW6TImTVRw>
    <xmx:VCS5YcTOwiB2rcMlP3WnztNjCmjK5iGqJqy-k3KGuE_Ql2i0re8Njw>
    <xmx:VCS5YczlqckQUZ03zTdsnKhqVToI70ABqpNGBwtdvRk0x8fqh_Oc2Q>
    <xmx:VCS5YZuEvV_3HqJSzNlAFj6VLmQz8zv0o8ZpX8wdP8V78_jzyHrkhQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id D70AF1EE007B; Tue, 14 Dec 2021 18:10:11 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-4514-g2bdc19e04f-fm-20211209.002-g2bdc19e0
Mime-Version: 1.0
Message-Id: <f8af7833-6dd5-43b5-a093-0cd41678b99a@www.fastmail.com>
In-Reply-To: <20211214213430.029b34c5@vostro>
References: <20211213212929.925-1-git@jfarr.cc>
 <20211214213430.029b34c5@vostro>
Date: Wed, 15 Dec 2021 00:09:36 +0100
From: "Jan Hendrik Farr" <git@jfarr.cc>
To: "Timo Teras" <timo.teras@iki.fi>
Cc: ~alpine/apk-tools@lists.alpinelinux.org
Subject: Re: [PATCH 1/1] libfetch: Allow special characters in http basic auth
Content-Type: text/plain

Hi,

> Thanks! There is a related bug
> https://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10775
>
> If this get's fixed, add to commit message:
> ref #10775
>

Looks like this patch should fix that issue.



> Is the upstream file somewhere?

Yes. As I understand, libfetch.c was originally taken from NetBSD (with certain bits taken from FreeBSD): https://github.com/NetBSD/src/blob/trunk/external/bsd/fetch/dist/libfetch/fetch.c

That file has no fix for this and has the same issue. I took this fix from the FreeBSD version: https://cgit.freebsd.org/src/tree/lib/libfetch/fetch.c

I took the functions fetch_hexval and fetch_pctdecode (both exact copies) from that file and integrated them into fetchParseURL.



> minor readability issue; i'd prefer something like:
>   if (!dlen)
>     return NULL;
>   dlen--;
>   *dst++ = c;
>
> To make the error path and normal path more obvious.

Since fetch_pctdecode is an exact copy from FreeBSD I would prefer to keep it unchanged.



> This will terminate also with ':' in the string now. And will handle
> the rest of the URL incorrectly, and break password with ':'.

Usernames used for http basic authentication are not allowed to contain ":" according RFC7617 section 2.1 (https://datatracker.ietf.org/doc/html/rfc7617#section-2.1). They are allowed to contain other special characters though and the password is allowed to contain special characters including ":". The characters ":", "@", or "/" present in the username or password must be encoded using percent encoding per RFC1738 section 3.1 (https://datatracker.ietf.org/doc/html/rfc1738#section-3.1). So the only ":" present in this part of the string will be the separator between username and password.

Example:

username: foo@123/bar
password: pass1234:hello:

A correct proxy setting (or other URL) using these credentials should be encoded by the user as:

http://foo%40123%2Fbar:pass1234%3Ahello%3A@example.com

libfetch should then decode the percent encoding to obtain the username and password in plain text, append them using a ":", and then encode the result using base64 to be used during http basic authentication:

result: Zm9vQDEyMy9iYXI6cGFzczEyMzQ6aGVsbG86

The decoding of the percent encoding is added in this patch and the appending of username and password and base64 encoding is already correctly handled in http.c.



Would you prefer for me to open a merge request on your Gitlab instead? If yes: Which branch should I open the request for?


With kind regards,
Jan