diff options
author | Lukas Eipert <leipert@gitlab.com> | 2020-12-30 21:24:16 +0100 |
---|---|---|
committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2021-04-28 11:01:23 +0900 |
commit | 842f00f45212019a3b07f8d8dac269d35beb9efa (patch) | |
tree | 38c252c4bcc4b71a989dd10d2f87c546d494322d /test | |
parent | 8a2b7b79ee8a1ba487c0b5064c0730b98f5ba438 (diff) |
[ruby/net-http] Decode user and password from env configured proxy
If someone sets an env variable defining a http_proxy, containing a
username / password with percent-encoded characters, then the resulting
base64 encoded auth header will be wrong.
For example, suppose a username is `Y\X` and the password is `R%S] ?X`.
Properly URL encoded the proxy url would be:
http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000
The resulting proxy auth header should be: `WVxYOlIlU10gP1g=`, but the
getters defined by ruby StdLib `URI` return a username `Y%5CX` and
password `R%25S%5D%20%3FX`, resulting in `WSU1Q1g6UiUyNVMlNUQlMjAlM0ZY`.
As a result the proxy will deny the request.
Please note that this is my first contribution to the ruby ecosystem, to
standard lib especially and I am not a ruby developer.
References:
- https://gitlab.com/gitlab-org/gitlab/-/issues/289836
- https://bugs.ruby-lang.org/projects/ruby-master/repository/trunk/revisions/58461
- https://bugs.ruby-lang.org/issues/17542
https://github.com/ruby/net-http/commit/e57d4f38aa
Diffstat (limited to 'test')
-rw-r--r-- | test/net/http/test_http.rb | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/test/net/http/test_http.rb b/test/net/http/test_http.rb index 22448d828f..60b6d51f99 100644 --- a/test/net/http/test_http.rb +++ b/test/net/http/test_http.rb @@ -188,6 +188,23 @@ class TestNetHTTP < Test::Unit::TestCase end end + def test_proxy_eh_ENV_with_urlencoded_user + TestNetHTTPUtils.clean_http_proxy_env do + ENV['http_proxy'] = 'http://Y%5CX:R%25S%5D%20%3FX@proxy.example:8000' + + http = Net::HTTP.new 'hostname.example' + + assert_equal true, http.proxy? + if Net::HTTP::ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE + assert_equal "Y\\X", http.proxy_user + assert_equal "R%S] ?X", http.proxy_pass + else + assert_nil http.proxy_user + assert_nil http.proxy_pass + end + end + end + def test_proxy_eh_ENV_none_set TestNetHTTPUtils.clean_http_proxy_env do assert_equal false, Net::HTTP.new('hostname.example').proxy? |