search

rpm-software-management / librepo

A library providing C and Python (libcURL like) API for downloading packages and linux repository metadata in rpm-md format
http://rpm-software-management.github.io/librepo/
GNU Lesser General Public License v2.1
74 stars 90 forks source link

lr_handle_setopt: Cannot use `:` character in `username` - LRO_USERPWD #315

Closed jrohel closed 1 month ago

jrohel commented 1 month ago

Librepo will create a configuration string [username]:[password] from the username and password and pass it to libcurl CURLOPT_USERPWD. The user and password strings are not URL decoded, so there is no way to send in a username containing a colon using this option.

Suggested fix: Extend the librepo API. The new librepo API will use the new libcurl API options CURLOPT_USERNAME and CURLOPT_PASSWORD.

ppisar commented 1 month ago

If it is a problem to URI-encode the value before passing it to libcurl (e.g. because libcurl does not support it), librepo should report an error back to the application instead of passing a garbage to libcurl.

jrohel commented 1 month ago

@ppisar The problem is in libcurl in the CURLOPT_USERPWD option. It doesn't perform url decode and thus doesn't allow colons in the username. In 2008 they added proxy support and the CURLOPT_PROXYUSERPWD option to libcurl. The CURLOPT_PROXYUSERPWD option behaves differently. It performs url decode. This makes it possible to pass any character in the name and password. But it is inconsistent with CURLOPT_USERPWD. See the documentation: https://curl.se/libcurl/c/CURLOPT_PROXYUSERPWD.html
Both the name and the password are URL decoded before used, so to include for example a colon in the username you should encode it as %3A. (This is different to how CURLOPT_USERPWD is used - beware.)

And they added two new options CURLOPT_USERNAME and CURLOPT_PASSWORD, because they could not change the behavior of the original CURLOPT_USERPWD option to remain compatible.

It is a pity that instead of CURLOPT_PROXYUSERPWD they did not introduce CURLOPT_PROXYUSERNAME and CURLOPT_PROXYPASSWORD. Now there is confusion.

In the librepo, adding LRO_USERNAME and LRO_PASSWORD and using CURLOPT_USERNAME and CURLOPT_PASSWORD now seems like a reasonable fix. Thus, copying the libcurl API.

jrohel commented 1 month ago

@ppisar I'm sorry, I just realized what you were gonna say. You're not responding to the creation of a new API supporting any character in the name and password. You are pointing out that the old API should be modified to report an error if someone tries to send unsupported characters through it.