-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows specific failure with basic auth using userpwd curl option but not header #224
Comments
There may have been a bug in the URL parser of the libcurl version that we shipped on Windows. As a workaround, instead of setting
h=handle_setopt(h, username="catmaid", password = "#DZaRJYrixKE*gFY") |
Thank you very much for the response Jeroen. How would you suggest do this from httr? I assume I can’t use the authenticate form but have to roll my own. Best, Greg.
…Sent from my iPhone
On 14 May 2020, at 09:49, Jeroen Ooms ***@***.***> wrote:
There may have been a bug in the URL parser of the libcurl version that we shipped on Windows.
As a workaround, instead of setting userpwd can you set username and password as separate arguments:
https://curl.haxx.se/libcurl/c/CURLOPT_USERNAME.html
https://curl.haxx.se/libcurl/c/CURLOPT_PASSWORD.html
h=handle_setopt(h, username="catmaid", password = "#DZaRJYrixKE*gFY")
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Ah I didn't know httr uses userpwd. If you confirm this fixes the problem, I'll change it in httr. |
Thanks, Jeroen. I tried and unfortunately I still get the same error. Perhaps the
I guess I can do that like so in httr, but it seems unfortunate to have to by pass the normal authenticate mechanism.
|
PS a bit more info from verbose about how the URL is getting munged when things fail.
|
@bagder do you recall a bug in libcurl ~ 7.64.1 that would cause the userpwd to be parsed incorrectly? |
No, I cannot recall having seen any bug like this. Is it possible to see the wrong header emitted as compared to how the working header looks like? Maybe that will help... |
Hi @bagder, Thanks so much for taking a look as well. As far as I can see userpwd is correctly processed since if you look at the failed request below the authorization header "Basic Y2F0bWFpZDojRFphUkpZcml4S0UqZ0ZZ" is added and this matches the "user:password" combination. But what goes wrong is that the URL is then changed from
to
i.e. it is changed from
|
Did you really mean That URL has no user credentials provided. That's a fragment after the hostname There's supposed to be a colon between the user and the password, not a slash. |
No I didn’t! It’s what my original request gets turned into on Windows when I supply user and password as curl options!
I’m sorry my message may not have been that easy to understand but maybe try re-reading slowly. If not I will try to rephrase again. Thank you again so much for your input, Greg.
…Sent from my iPhone
On 14 May 2020, at 13:08, Daniel Stenberg ***@***.***> wrote:
Did you really mean ***@***.***/catmaid/2/annotations/ ?
That URL has no user credentials provided. That's a fragment after the hostname catmaid and the single slash as path.
There's supposed to be a colon between the user and the password, not a slash.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
@bagder libcurl is creating that url. These are his inputs: CURLOPT_URL: But then at the redirect, libcurl messes that up:
|
Gotcha. Digging. |
I can reproduce this bug with just curl on Linux! Will work on fix. |
Oh that's bad news for him :-) |
Found-by: Gregory Jefferis Reported-by: Jeroen Ooms Added test 1168 to verify. Bug spotted when doing a redirect. Bug: jeroen/curl#224
Yes, I realize that. I can only apologize and fix the issue. A work-around is possibly to change the password to not use a "hash" ( |
Another work-around is probably to set the credentials in the URL (which requires them to be URL encoded,
|
Aha, it is the hash! Thanks so much both of you! Do you think this bug is present in the current version of libcurl but not in an older version that I have on my Mac? Or is there something platform specific?
…Sent from my iPhone
On 14 May 2020, at 13:43, Daniel Stenberg ***@***.***> wrote:
Yes, I realize that. I can only apologize and fix the issue. A work-around is possibly to change the password to not use a "hash" (#) or at symbol (@) until running a fixed version.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
If the mac version is older than 7.62.0 then I think that's the explanation. I think this is a regression that came with 7.62.0 (which brought the refreshed URL parser internally in curl) or possibly some version later and as I could reproduce it now in my dev version it is still present in 7.70.0. |
Yes mac is older
|
Found-by: Gregory Jefferis Reported-by: Jeroen Ooms Added test 1168 to verify. Bug spotted when doing a redirect. Bug: jeroen/curl#224 Closes #5400
Found-by: Gregory Jefferis Reported-by: Jeroen Ooms Added test 1168 to verify. Bug spotted when doing a redirect. Bug: jeroen/curl#224 Closes #5400
Found-by: Gregory Jefferis Reported-by: Jeroen Ooms Added test 1168 to verify. Bug spotted when doing a redirect. Bug: jeroen/curl#224 Closes #5400
Found-by: Gregory Jefferis Reported-by: Jeroen Ooms Added test 1168 to verify. Bug spotted when doing a redirect. Bug: jeroen/curl#224 Closes #5400
I use curl via httr to access a web application used in brain mapping (https://github.com/natverse/rcatmaid). A colleague recently reported that he could not access his server which is protected by http basic authentication.
The gist of the problem is in this error message:
i.e. the basic auth username (
catmaid
) somehow gets mangled into the url and misinterpreted as the server URL.After digging, I can report the following.
then everything works just fine on windows and mac.
I am really stumped. Can you give any advice? Note that the tokens / password info above are fake as I'm afraid I cannot provide the real credentials here, but the password in
user:password
really does have both a#
and a*
in it.The text was updated successfully, but these errors were encountered: