flying-circus / pyfilesystem

Automatically exported from code.google.com/p/pyfilesystem
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

Right split the url in the opener opener to fix the case when the password contains an @ #166

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Hi,

I’ve noticed when using the fs.opener that when passing in a fs_url with the 
username and password it fails to properly split the credentials from the url 
if the password contains an @ symbol. This would be solved simply by doing an 
rsplit() instead of a split() on the fs_url when parsing the url to extract the 
credentials. I believe the hostname or path shouldn’t contain @ symbols and 
the most likely place to find these would be in the password.

An alternative solution would be to use urllib.quote_plus()/unquote_plus() to 
decode the given urls and require people using special characters to pass in 
url-encoded fs_urls.

All the best,
Inti

Index: fs/opener.py
===================================================================
--- fs/opener.py               (revision )
+++ fs/opener.py             (revision )
@@ -94,7 +94,7 @@
     username = None
     password = None    
     if '@' in url:
-        credentials, url = url.split('@', 1)
+        credentials, url = url.rsplit('@', 1)
         if ':' in credentials:
             username, password = credentials.split(':', 1)
         else:

Original issue reported on code.google.com by intioc...@gmail.com on 30 Sep 2013 at 12:57

Attachments:

GoogleCodeExporter commented 9 years ago
Would this also cause problems if there was a : in the password?

IMHO the most logical way to solve this would be by using the same rules as 
defined in http://tools.ietf.org/html/rfc3986#section-3.2

Original comment by gc...@loowis.durge.org on 30 Sep 2013 at 8:50

GoogleCodeExporter commented 9 years ago
I don't think it would cause an issue if there was a : in the password as by 
the time we get to that point we have a string like 'username:password' so 
doing a left split here makes sense. This could break if the username contained 
a : but I imagine that would be much less likely.

I agree the right thing to do would be to follow the rfc URI syntax rules which 
say that to use any of the reserved characters you have to use url encoded 
versions of them. See my second paragraph in my first message about using 
urllib.unquote_plus()

Original comment by intioc...@gmail.com on 1 Oct 2013 at 7:32

GoogleCodeExporter commented 9 years ago
I concur, the 'right' thing to do is probably the url quoting. Although it's a 
bit unfortunate given that openers are used mostly on the command line.

To be honest, the opener parser could use a revisit. I'm sure we could 
formalize the syntax a bit. And I never did get round to writing tests!

Original comment by willmcgugan on 1 Oct 2013 at 8:03