Project

Profile

Help

Issue #2520

credentials in feed URL are not url-unquoted

Added by mhrivnak over 4 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.11.2
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Easy Fix, Pulp 2
Sprint:
Sprint 13
Quarter:

Description

This change: https://github.com/pulp/pulp/pull/2697/files#diff-ea2980a00ce94a68c6280c62d0e8b64eR57

introduced the ability to automatically parse a feed url, extract any credentials included in the URL, and add them to an importer config.

It fails to "urlunquote" the credentials, so if a user includes a url-quotable character in a credential, authentication will fail.

For example, "username:p@ssword" would appear in the URL as "username:p%40ssword". The credentials need to be passed through this function before being added to the importer config:

https://docs.python.org/2/library/urllib.html#urllib.unquote


Related issues

Related to Pulp - Issue #1977: basic auth in URL fails when using authenticated proxyCLOSED - CURRENTRELEASE<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision dd4e4916 View on GitHub
Added by daviddavis over 4 years ago

URL unquote escaped credentials in feed URL

fixes #2520 https://pulp.plan.io/issues/2520

Revision dd4e4916 View on GitHub
Added by daviddavis over 4 years ago

URL unquote escaped credentials in feed URL

fixes #2520 https://pulp.plan.io/issues/2520

History

#1 Updated by mhrivnak over 4 years ago

  • Related to Issue #1977: basic auth in URL fails when using authenticated proxy added

#2 Updated by bizhang over 4 years ago

  • Sprint/Milestone set to 31
  • Triaged changed from No to Yes

#3 Updated by daviddavis over 4 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to daviddavis

#4 Updated by daviddavis over 4 years ago

What if the user's password in the URL is actually p%40ssword and not p@ssword? For example, before this change:

pulp-admin rpm repo create --repo-id test --feed "http://usern%40me:password@example.com/repo"
pulp-admin rpm repo list --repo-id test --details
...
Basic Auth Username: usern%40me

After this change:

pulp-admin rpm repo create --repo-id test --feed "http://usern%40me:password@example.com/repo"
pulp-admin rpm repo list --repo-id test --details
...
Basic Auth Username: usern@me

Two possible solutions:

1. Mandate that users pass in feed as a url quoted string (in this case usern%2540me)
2. Have pulp-admin convert any feed url passed in to its url quoted equivalent and send it to the server

#5 Updated by mhrivnak over 4 years ago

I like the edge-case scrutiny. :)

I like solution 1. We should require the user to construct correct URLs. If they put a string in the URL that conflicts with standard URL quoting, that's just incorrect.

#6 Updated by daviddavis over 4 years ago

  • Status changed from ASSIGNED to POST

#7 Updated by daviddavis over 4 years ago

  • Status changed from POST to MODIFIED

#8 Updated by semyers over 4 years ago

  • Platform Release set to 2.11.2

#9 Updated by semyers over 4 years ago

  • Status changed from MODIFIED to 5

#11 Updated by semyers over 4 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#12 Updated by bmbouter over 3 years ago

  • Sprint set to Sprint 13

#13 Updated by bmbouter over 3 years ago

  • Sprint/Milestone deleted (31)

#14 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF