Project

Profile

Help

Issue #2520

closed

credentials in feed URL are not url-unquoted

Added by mhrivnak about 7 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.11.2
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Easy Fix, Pulp 2
Sprint:
Sprint 13
Quarter:

Description

This change: https://github.com/pulp/pulp/pull/2697/files#diff-ea2980a00ce94a68c6280c62d0e8b64eR57

introduced the ability to automatically parse a feed url, extract any credentials included in the URL, and add them to an importer config.

It fails to "urlunquote" the credentials, so if a user includes a url-quotable character in a credential, authentication will fail.

For example, "username:p@ssword" would appear in the URL as "username:p%40ssword". The credentials need to be passed through this function before being added to the importer config:

https://docs.python.org/2/library/urllib.html#urllib.unquote


Related issues

Related to Pulp - Issue #1977: basic auth in URL fails when using authenticated proxyCLOSED - CURRENTRELEASEamacdona@redhat.comActions
Actions #1

Updated by mhrivnak about 7 years ago

  • Related to Issue #1977: basic auth in URL fails when using authenticated proxy added
Actions #2

Updated by bizhang about 7 years ago

  • Sprint/Milestone set to 31
  • Triaged changed from No to Yes
Actions #3

Updated by daviddavis about 7 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to daviddavis
Actions #4

Updated by daviddavis about 7 years ago

What if the user's password in the URL is actually p%40ssword and not p@ssword? For example, before this change:

pulp-admin rpm repo create --repo-id test --feed "http://usern%40me:password@example.com/repo"
pulp-admin rpm repo list --repo-id test --details
...
Basic Auth Username: usern%40me

After this change:

pulp-admin rpm repo create --repo-id test --feed "http://usern%40me:password@example.com/repo"
pulp-admin rpm repo list --repo-id test --details
...
Basic Auth Username: usern@me

Two possible solutions:

1. Mandate that users pass in feed as a url quoted string (in this case usern%2540me)
2. Have pulp-admin convert any feed url passed in to its url quoted equivalent and send it to the server

Actions #5

Updated by mhrivnak about 7 years ago

I like the edge-case scrutiny. :)

I like solution 1. We should require the user to construct correct URLs. If they put a string in the URL that conflicts with standard URL quoting, that's just incorrect.

Actions #6

Updated by daviddavis about 7 years ago

  • Status changed from ASSIGNED to POST

Added by daviddavis about 7 years ago

Revision dd4e4916 | View on GitHub

URL unquote escaped credentials in feed URL

fixes #2520 https://pulp.plan.io/issues/2520

Added by daviddavis about 7 years ago

Revision dd4e4916 | View on GitHub

URL unquote escaped credentials in feed URL

fixes #2520 https://pulp.plan.io/issues/2520

Actions #7

Updated by daviddavis about 7 years ago

  • Status changed from POST to MODIFIED
Actions #8

Updated by semyers about 7 years ago

  • Platform Release set to 2.11.2
Actions #9

Updated by semyers about 7 years ago

  • Status changed from MODIFIED to 5
Actions #11

Updated by semyers about 7 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #12

Updated by bmbouter about 6 years ago

  • Sprint set to Sprint 13
Actions #13

Updated by bmbouter about 6 years ago

  • Sprint/Milestone deleted (31)
Actions #14

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF