Closed jrohel closed 1 month ago
If it is a problem to URI-encode the value before passing it to libcurl (e.g. because libcurl does not support it), librepo should report an error back to the application instead of passing a garbage to libcurl.
@ppisar
The problem is in libcurl in the CURLOPT_USERPWD
option. It doesn't perform url decode and thus doesn't allow colons in the username.
In 2008 they added proxy support and the CURLOPT_PROXYUSERPWD
option to libcurl. The CURLOPT_PROXYUSERPWD
option behaves differently. It performs url decode. This makes it possible to pass any character in the name and password. But it is inconsistent with CURLOPT_USERPWD
. See the documentation: https://curl.se/libcurl/c/CURLOPT_PROXYUSERPWD.html
Both the name and the password are URL decoded before used, so to include for example a colon in the username you should encode it as %3A. (This is different to how CURLOPT_USERPWD is used - beware.)
And they added two new options CURLOPT_USERNAME
and CURLOPT_PASSWORD
, because they could not change the behavior of the original CURLOPT_USERPWD
option to remain compatible.
It is a pity that instead of CURLOPT_PROXYUSERPWD
they did not introduce CURLOPT_PROXYUSERNAME
and CURLOPT_PROXYPASSWORD
. Now there is confusion.
In the librepo, adding LRO_USERNAME
and LRO_PASSWORD
and using CURLOPT_USERNAME
and CURLOPT_PASSWORD
now seems like a reasonable fix. Thus, copying the libcurl API.
@ppisar I'm sorry, I just realized what you were gonna say. You're not responding to the creation of a new API supporting any character in the name and password. You are pointing out that the old API should be modified to report an error if someone tries to send unsupported characters through it.
Librepo will create a configuration string
[username]:[password]
from theusername
andpassword
and pass it to libcurlCURLOPT_USERPWD
. The user and password strings are not URL decoded, so there is no way to send in ausername
containing a colon using this option.Suggested fix: Extend the librepo API. The new librepo API will use the new libcurl API options
CURLOPT_USERNAME
andCURLOPT_PASSWORD
.