breaking change in 7.82.0: mandatory login token in .netrc

[standsed]

I did this

Create/append ~/.netrc file with record without login token, e.g.,
machine curl.com password S3cr3t

run
curl https://host.com --netrc --verbose

I expected the following

Header to be sent
Authorization: Basic Onp4Y3Y=

curl/libcurl version

Does not work:
docker image: curlimages/curl:7.82.0
curl 7.82.0-DEV (x86_64-pc-linux-musl) libcurl/7.82.0-DEV OpenSSL/1.1.1n zlib/1.2.11 brotli/1.0.9 libssh2/1.10.0 nghttp2/1.46.0
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

Works:
docker image: curlimages/curl:7.81.0
curl 7.81.0-DEV (x86_64-pc-linux-musl) libcurl/7.81.0-DEV OpenSSL/1.1.1l zlib/1.2.11 brotli/1.0.9 libssh2/1.10.0 nghttp2/1.46.0
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

curlimages/curl:7.77.0 also ok

[jay]

Bisected to 7d600ad (#8451) which removed the user_passwd flag in favor of checking user pointer. AFAICT that means now that a username must always be set if a password is set. There is code in parseurlandfillconn which sets an empty username if no username was found in the URL but a password was found:

curl/lib/url.c

Lines 2066 to 2069 in 64db5c5

	else if(data->state.aptr.passwd) {
	/* no user was set but a password, set a blank user */
	result = Curl_setstropt(&data->state.aptr.user, "");
	}

netrc user/pass comes in later in override_login, but it doesn't have the same logic to create a blank username if there's a password but no username. I'm not sure the reasons for that but here is some similar logic that works:

diff --git a/lib/url.c b/lib/url.c
index a56e4b0..9f29593 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2971,6 +2971,12 @@ static CURLcode override_login(struct Curl_easy *data,
       /* don't update the user name below */
       userp = NULL;
     }
+    /* no user was set but a password, set a blank user */
+    if(userp && !*userp && *passwdp) {
+      *userp = strdup("");
+      if(!*userp)
+        return CURLE_OUT_OF_MEMORY;
+    }
   }
 #endif
 

curlimages/curl:7.77.0 also ok

Though 7.81.0 may work, 7.77.0 and some other older versions have a bug with blank usernames where they actually send "(nil)" for the username. So if you must work around this immediately use 7.81.0 not older versions.

[bagder]

@jay, if this is a proposal shouldn't it be made as a PR?

[jay]

I was more at the concept phase. Does it make sense to check in override_login?

[bagder]

If all other existing tests work and you add a new one that reproduces the problem without the patch and works with the patch, then I think it sounds l like a good fix!

[domenkozar]

This broke https://cachix.org and a lot of users are having problems when they upgrade to latest curl.

How can I help to expedite this?

[domenkozar]

I can confirm the patch fixes the issue.

[jay]

I can confirm the patch fixes the issue.

Thanks. I will look at turning the patch into a PR.

[orgads]

I've noticed another regression. I do have username in netrc, but if I provide a username in the URL, none of them is used, and no Authorization header is sent (even if it is the same user).

Example:
.netrc:

machine server login user password 5up3r53cr31

$ curl -n http://user@server/
Unauthorized

This is not covered by #9066.

[orgads]

My issue is caused by d1237ac.

[orgads]

I'll file a new issue.

• Done: REG [7.81->7.82] Authorization doesn't work for user in URL + netrc #9243