Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL parser treats blank user as no user (CURLUE_NO_USER) #9088

Closed
jay opened this issue Jul 3, 2022 · 2 comments
Closed

URL parser treats blank user as no user (CURLUE_NO_USER) #9088

jay opened this issue Jul 3, 2022 · 2 comments
Assignees
@bagder
Labels
authentication URL Windows Windows-specific

Comments

@jay
Copy link
Member

jay commented Jul 3, 2022

I did this

http://:@corporate_proxy:8080/ from jeroen/curl#237. It seems to me the reporter @OscarLane wants to be able to set ALL_PROXY with a blank user/pass so that libcurl w/SSPI will use his Windows credentials.

When the username is retrieved from the CURLU it returns CURLUE_NO_USER which is documented as "There is no user part in the URL."

curl/lib/url.c

Lines 2502 to 2513 in 45ac4d0

/* Is there a username and password given in this proxy url? */
uc = curl_url_get(uhp, CURLUPART_USER, &proxyuser, CURLU_URLDECODE);
if(uc && (uc != CURLUE_NO_USER))
goto error;
uc = curl_url_get(uhp, CURLUPART_PASSWORD, &proxypasswd, CURLU_URLDECODE);
if(uc && (uc != CURLUE_NO_PASSWORD))
goto error;
if(proxyuser || proxypasswd) {
Curl_safefree(proxyinfo->user);
proxyinfo->user = proxyuser;
result = Curl_setstropt(&data->state.aptr.proxyuser, proxyuser);

I expected the following

I'm not sure on this one. Is this expected?

curl/libcurl version

curl 7.84.1-DEV (i386-pc-win32) libcurl/7.84.1-DEV Schannel WinIDN
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS Debug HSTS IDN IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI Unicode UnixSockets

/cc @jeroen
@jay jay added URL authentication Windows Windows-specific labels Jul 3, 2022
@jay jay mentioned this issue Jul 3, 2022
Open
@bagder
Copy link
Member

bagder commented Jul 3, 2022

Is this expected?

I don't think anyone has thought about it. The entire "set blank user name to trigger X" is a somewhat of a kludge, so it's not always easy to tell how it should work!

@jay
Copy link
Member Author

jay commented Jul 4, 2022

I don't see any downsides to changing it. The change below fixes it but then will also do it even if the login string is empty, for example http://@test.com

diff --git a/lib/url.c b/lib/url.c
index 1114c6c..0ce1aa1 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2894,7 +2894,7 @@ CURLcode Curl_parse_login_details(const char *login, const size_t len,
                                  (size_t)(login + len - osep)) - 1 : 0);
 
   /* Allocate the user portion buffer */
-  if(userp && ulen) {
+  if(userp) {
     ubuf = malloc(ulen + 1);
     if(!ubuf)
       result = CURLE_OUT_OF_MEMORY;

bagder added a commit that referenced this issue Sep 25, 2022
@bagder
url: a zero-length userinfo part in the URL is still a (blank) user
c85509e 
Adjusted test 1560 to verify

Reported-by: Jay Satiro

Fixes #9088
@bagder bagder mentioned this issue Sep 25, 2022
Closed
@bagder bagder self-assigned this Sep 25, 2022
@bagder bagder closed this as completed in 1a87a1e Sep 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
authentication URL Windows Windows-specific
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

url: a zero-length userinfo part in the URL is still a (blank) user curl/curl
2 participants
@bagder @jay