From: ruby-lang@... Date: 2021-01-14T12:30:22+00:00 Subject: [ruby-core:102089] [Ruby master Bug#17542] Username and password are not decoded if retrieved from env Issue #17542 has been reported by leipert (Lukas Eipert). ---------------------------------------- Bug #17542: Username and password are not decoded if retrieved from env https://bugs.ruby-lang.org/issues/17542 * Author: leipert (Lukas Eipert) * Status: Open * Priority: Normal * ruby -v: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin18] * Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN ---------------------------------------- If someone sets an env variable defining a http_proxy (ENV['http_proxy']), containing a username / password with percent-encoded characters, then the resulting base64 encoded auth header will be wrong. For example, suppose a username is `Y\X` and the password is `R%S] ?X`. Properly URL encoded the proxy url would be: http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000 The resulting proxy auth header should be: `WVxYOlIlU10gP1g=`, but the getters defined by ruby StdLib `URI` return a username `Y%5CX` and password `R%25S%5D%20%3FX`, resulting in `WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY`. As a result the proxy will deny the request. Please note that this is my first contribution to the ruby ecosystem, to standard lib especially and I am not a ruby developer. I don't understand ruby's encoding system and the code is not properly ruby-esque. Sorry for that and a happy and healthy 2021! --- The description above is taken from: https://github.com/ruby/net-http/pull/5 References: - https://gitlab.com/gitlab-org/gitlab/-/issues/289836 - https://bugs.ruby-lang.org/projects/ruby-master/repository/trunk/revisions/58461 - https://bugs.ruby-lang.org/issues/12921 -- https://bugs.ruby-lang.org/ Unsubscribe: