Use proper escaping for proxy passwords

URI.escape does not correctly escape some characters for HTTP proxy usernames and passwords. This means that passwords containing an "@" result in an exception. Now RubyGems uses proper escaping to allow all possible passwords. Fixes #668 See also ruby bug #8979
rubygems · Oct 11, 2013 · c355880 · c355880
1 parent daebc53
commit c355880
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 15 deletions.
diff --git a/History.txt b/History.txt
@@ -43,6 +43,8 @@ Bug fixes:
   objects.  Fixes #674 by jkanywhere.
 * Reduce sorting when fetching specifications.  This speeds up the update and
   outdated commands, and others.  Issue #657 by windwiny.
+* Proxy usernames and passwords are now escaped properly.  Ruby Bug #8979 by
+  Masahiro Tomita, Issue #668 by Kouhei Sutou.
 
 === 2.1.8 / 2013-10-10
 

diff --git a/lib/rubygems/request.rb b/lib/rubygems/request.rb
@@ -78,8 +78,8 @@ def connection_for(uri)
       net_http_args += [
         @proxy_uri.host,
         @proxy_uri.port,
-        @proxy_uri.user,
-        @proxy_uri.password
+        Gem::UriFormatter.new(@proxy_uri.user).unescape,
+        Gem::UriFormatter.new(@proxy_uri.password).unescape,
       ]
     end
 

diff --git a/lib/rubygems/uri_formatter.rb b/lib/rubygems/uri_formatter.rb
@@ -1,3 +1,4 @@
+require 'cgi'
 require 'uri'
 
 class Gem::UriFormatter
@@ -9,7 +10,7 @@ def initialize uri
 
   def escape
     return unless @uri
-    escaper.escape @uri
+    CGI.escape @uri
   end
 
   ##
@@ -21,18 +22,7 @@ def normalize
 
   def unescape
     return unless @uri
-    escaper.unescape @uri
-  end
-
-  private
-
-  def escaper
-    @uri_parser ||=
-      begin
-        URI::Parser.new
-      rescue NameError
-        URI
-      end
+    CGI.unescape @uri
   end
 
 end

diff --git a/test/rubygems/test_gem_request.rb b/test/rubygems/test_gem_request.rb
@@ -89,6 +89,17 @@ def test_get_proxy_from_env_domain
     assert_equal 'my bar', Gem::UriFormatter.new(proxy.password).unescape
   end
 
+  def test_get_proxy_from_env_escape
+    ENV['http_proxy'] = @proxy_uri
+    ENV['http_proxy_user'] = 'foo@user'
+    ENV['http_proxy_pass'] = 'my@bar'
+
+    proxy = @request.get_proxy_from_env
+
+    assert_equal 'foo%40user', proxy.user
+    assert_equal 'my%40bar',   proxy.password
+  end
+
   def test_get_proxy_from_env_normalize
     ENV['HTTP_PROXY'] = 'fakeurl:12345'
 

diff --git a/test/rubygems/test_gem_uri_formatter.rb b/test/rubygems/test_gem_uri_formatter.rb
@@ -16,5 +16,13 @@ def test_normalize_uri
       Gem::UriFormatter.new('example/').normalize
   end
 
+  def test_escape
+    assert_equal 'a%40b%5Cc', Gem::UriFormatter.new('a@b\c').escape
+  end
+
+  def test_unescape
+    assert_equal 'a@b\c', Gem::UriFormatter.new('a%40b%5Cc').unescape
+  end
+
 end