Hey all,
I've found an issue with SQLDB when developing my application. The
URI handling does not allow special characters in database passwords.
Unfortunately, I must connect to the database from my application
using a password with special characters.
eg. Consider the URI for a database with has an @ in the password:
postgres://username:p...@ssword@localhost:5432/database
That is the simplest way to break the current URI handling. Consider
a more complex password like �...@b:3/c”, which is a valid postgres
password and probably valid in other DBMS as well. It would build a
URI that looks something like:
postgres://username:a...@b:3/c...@host:port/database
The regular expression CAN be carefully modified to allow all of
these characters in the password, but what about if you had special
characters in your username too? Imagine if you had a (valid but
contrived) postgres username like “u...@host/group:subgroup” with the
same �...@b:3/c” password as before. Then your URI would look something
like:
postgres://u...@host/group:subgroup:a...@b:3/c...@host:port/database
I think this exposes a problem in general with parsing username and
passwords from a URI, in that if you have these special characters you
can no longer parse them with a simple regular expression. If you look
at Section 3.1 of RFC 1738 - Uniform Resource Locators they already
thought of this, and they say that within the user and password field
you should encode any ":", "@", or "/".
I have tried modifying SQLDB to pass the username and password
through the urllib.unquote function as follows:
user = urllib.unquote(m.group("user"))
passwd = urllib.unquote(m.group("passwd"))
Then when opening the database do something like this:
SQLDB("postgres://%(user)s:%(pass)s...@localhost:5432/database" % \
({'user': urllib.quote("test"),
'pass':urllib.quote("p...@ssword"})))
This works fine for me. And, passwords without special characters
will be unmodified by urllib.unquote(). In this way backwards
compatibility is mostly intact. However consider a user who currently
has a password with a % character. Even though it works fine now, if
you were to pass the password through urllib.unquote then it would
assume the % was an escape sequence and produce unexpected results for
them.
What do you think?
Regards,
Josh Jaques
Seccuris Inc.
