Re: PATCH: ftp: allow @ in username for Basic Auth

Tue, 24 Jun 2014 09:16:31 -0700 

Hi,

As I see not activity or feedback for this one line patch, I think it
need more explain ?

Currently, when you pass an URL with user/pass embed, the code parse it
badly.

For example:
https://mym...@example.com:my-passw...@another-domain.example.com/blabla

Just before the code search if the supplied URL contains a user/pass,
the variables are:

scheme = "https://";
host = "mym...@example.com:my-passw...@another-domain.example.com"

The code use strchr(3) on host in order to find '@' in host variable,
and separate the user/pass component and the host component.

But, with strchr the result is:
p = "mymail"
host = "example.com:my-passw...@another-domain.example.com"

The patch replace strchr(3) by strrchr(3) to obtain:
p = "mym...@example.com:my-password"
host = "another-domain.example.com"

As the hostname should not contains '@' char, and user/pass may contains
it, (as defined by rfc1738), this patch make ftp(1) to more respect
standard.

Thanks.
-- 
Sébastien Marie

On Mon, Jun 23, 2014 at 10:15:25AM +0200, Sébastien Marie wrote:
> Hi,
> 
> Using ftp(1) with HTTP(S) scheme and Basic auth, it is currently not
> possible to have username (or password) with a '@' inner.
> 
> For example, this URI is badly parsed:
> ftp https://mym...@example.com:my-passw...@another-domain.example.com/blabla
> 
> According to RFC2617, '@' is a valid character in user-id or password:
>   user-pass   = userid ":" password
>   userid      = *<TEXT excluding ":">
>   password    = *TEXT
> 
> Here a patch to search the last '@' in the string (which don't contains
> the path at this time).
> 
> -- 
> Sébastien Marie
> 
> Index: fetch.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ftp/fetch.c,v
> retrieving revision 1.122
> diff -u -p -r1.122 fetch.c
> --- fetch.c   20 May 2014 01:25:23 -0000      1.122
> +++ fetch.c   23 Jun 2014 07:46:33 -0000
> @@ -474,7 +474,7 @@ noslash:
>        */
>       if (proxyenv == NULL &&
>           (!strcmp(scheme, HTTP_URL) || !strcmp(scheme, HTTPS_URL))) {
> -             if ((p = strchr(host, '@')) != NULL) {
> +             if ((p = strrchr(host, '@')) != NULL) {
>                       size_t authlen = (strlen(host) + 5) * 4 / 3;
>                       *p = 0; /* Kill @ */
>                       if ((auth = malloc(authlen)) == NULL)
>

Reply via email to