Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

netrc quoting passwords with spaces are not handled properly #8908

Closed
ImpatientHippo opened this issue May 24, 2022 · 3 comments
Closed

netrc quoting passwords with spaces are not handled properly #8908

ImpatientHippo opened this issue May 24, 2022 · 3 comments

Comments

@ImpatientHippo
Copy link

@ImpatientHippo ImpatientHippo commented May 24, 2022

.netrc contains
machine somehost login user password "super secret"

curl http://somehost

should send Auth Header

Authorization: Basic base64(user:super secret)

but it sends:

Authorization: Basic base64(user:"super)

Happens on ubuntu 22.04 curl 7.81.0

@bagder
Copy link
Member

@bagder bagder commented May 24, 2022

According to whom? some sources clearly say passwords in .netrc cannot have space. The .netrc format is wonderfully weakly specified (== not at all).

@ImpatientHippo
Copy link
Author

@ImpatientHippo ImpatientHippo commented May 24, 2022

commandline ftp , perl and wget (which I am using since ages) seem to support it well at least unofficially:

https://stackoverflow.com/questions/12674888/can-netrc-handle-passphrases-with-spaces/12675195?noredirect=1#comment45821702_12675195

@bagder
Copy link
Member

@bagder bagder commented May 30, 2022

I suppose the worst thing is that if we introduce this way of accepting quoted strings, we risk breaking existing scripts/command lines out there that rely on the existing parsing logic.

Someone on IRC the other day used another tool (fetchmail iirc) that accepts double-quotes as escape letters in .netrc files, making "" become a single double quote there.

All in all, it seems more or less impossible to make a single netrc parser that supports all of these different flavors and dialects. Quite annoying.

bagder added a commit that referenced this issue May 30, 2022
The .netrc parser now accepts strings within double-quotes in order to
deal with for example passwords containing white space - which
previously was not possible.

A password that starts with a double-quote also ends with one, and
double-quotes themselves are escaped with backslashes, like \". It also
supports \n, \r and \t for newine, carriage return and tabs
respectively.

If the password does not start with a double quote, it will end at first
whitespace and no escaping is performed.

WARNING: this change is not entirely backwards compatible. If anyone
previously used a double-quote as the first letter of their password,
the parser will now get it differently compared to before. This is
highly unfortunate but hard to avoid.

Reported-by: ImpatientHippo on GitHub
Fixes #8908
@bagder bagder linked a pull request May 30, 2022 that will close this issue
bagder added a commit that referenced this issue May 30, 2022
The .netrc parser now accepts strings within double-quotes in order to
deal with for example passwords containing white space - which
previously was not possible.

A password that starts with a double-quote also ends with one, and
double-quotes themselves are escaped with backslashes, like \". It also
supports \n, \r and \t for newline, carriage return and tabs
respectively.

If the password does not start with a double quote, it will end at first
white space and no escaping is performed.

WARNING: this change is not entirely backwards compatible. If anyone
previously used a double-quote as the first letter of their password,
the parser will now get it differently compared to before. This is
highly unfortunate but hard to avoid.

Reported-by: ImpatientHippo on GitHub
Fixes #8908
bagder added a commit that referenced this issue May 30, 2022
The .netrc parser now accepts strings within double-quotes in order to
deal with for example passwords containing white space - which
previously was not possible.

A password that starts with a double-quote also ends with one, and
double-quotes themselves are escaped with backslashes, like \". It also
supports \n, \r and \t for newline, carriage return and tabs
respectively.

If the password does not start with a double quote, it will end at first
white space and no escaping is performed.

WARNING: this change is not entirely backwards compatible. If anyone
previously used a double-quote as the first letter of their password,
the parser will now get it differently compared to before. This is
highly unfortunate but hard to avoid.

Reported-by: ImpatientHippo on GitHub
Fixes #8908
Closes #8937
@bagder bagder closed this as completed in eeaae10 May 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants