From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: =?UTF-8?Q?Bj=C3=B6rn?= Bidar via "Bug reports for GNU Emacs, the Swiss army knife of text editors" Newsgroups: gmane.emacs.bugs Subject: bug#72526: 31.0.50; [PATCH] Fix url-basic-auth secret search when passing username and/or port Date: Sun, 18 Aug 2024 15:30:22 +0300 Message-ID: <2218.57707235671$1723984332@news.gmane.org> References: <86bk1r661g.fsf@gnu.org> <86ed6n2zld.fsf@gnu.org> <867cce1ke4.fsf@gnu.org> Reply-To: =?UTF-8?Q?Bj=C3=B6rn?= Bidar Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="36648"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Cc: 72526@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Aug 18 14:32:04 2024 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1sff4l-0009NY-R1 for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 18 Aug 2024 14:32:04 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sff4W-0007sb-Bf; Sun, 18 Aug 2024 08:31:49 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sff47-0007qu-Lu for bug-gnu-emacs@gnu.org; Sun, 18 Aug 2024 08:31:25 -0400 Original-Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sff47-000899-54 for bug-gnu-emacs@gnu.org; Sun, 18 Aug 2024 08:31:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=3QJLZVDMlNDsgN3H1a+CwxK/tXHK3CLDtMuf6xWCVpg=; b=h51TDpVc1wEjjn01dRAIIEFDIDa8o09qt/p5GeCTzPdoK7/c717nzLibeVldYN/OQFAoRP5enDdwwMztHLyRFJqPlu5UOrfakstii4Vd4H7rLE49Gyd9hteXUebyTzr70WyhFQpjrpXky/NNVSLyMRUuAxAMDStWb3OoqWl4uQHUhhfpwZQfNVCZ5uIFhSLyP+sM1I8C+zr/i5OvhVYHePHdKf3n9SNX1JNMUDC47LTqk6/w5Ddak0gyL7d8t/PYO8SFqDNFPMfxflt3COT0HAdUqZ7ZLylOEPedw8cWo/XWK7vL/JWvokTufrSQx7ChSxq60jLLDu/Ze9I67AAFYw==; Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sff4k-0004ou-AU for bug-gnu-emacs@gnu.org; Sun, 18 Aug 2024 08:32:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: =?UTF-8?Q?Bj=C3=B6rn?= Bidar Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 18 Aug 2024 12:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 72526 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 72526-submit@debbugs.gnu.org id=B72526.172398430418504 (code B ref 72526); Sun, 18 Aug 2024 12:32:02 +0000 Original-Received: (at 72526) by debbugs.gnu.org; 18 Aug 2024 12:31:44 +0000 Original-Received: from localhost ([127.0.0.1]:55572 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sff4S-0004oM-Ap for submit@debbugs.gnu.org; Sun, 18 Aug 2024 08:31:44 -0400 Original-Received: from thaodan.de ([185.216.177.71]:34080) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sff4Q-0004o7-27 for 72526@debbugs.gnu.org; Sun, 18 Aug 2024 08:31:43 -0400 Original-Received: from odin (dsl-trebng12-50dc75-154.dhcp.inet.fi [80.220.117.154]) by thaodan.de (Postfix) with ESMTPSA id E83FDD0004C; Sun, 18 Aug 2024 15:30:23 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=thaodan.de; s=mail; t=1723984224; bh=mqlbcjfDX/Al8pQNnn73LZk890cYkeB/ntxMONVxssY=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=AJZB1XXv1/qb7w+nzEQocQiSbJJweqJ3rSidUW77+iXBxWJ9Ci2wvKWRbNOmBZU8W ZkbdpjhHtOsrbyOyzg/ZX3vSv+s5Al+FCrUfc+GN3ej3BhqK1QQZZr8KryRD9sI37t a3eqSH0EEJbEcAq47X5CA/0iC3YB3NtKGe+MK7e0iwTXi9qgfK1z2JJfV6fbuTr3l7 D7LEcfILbXfdrxhVd4hzSHOztFxWbvZ7ztqT8uuVj9TgMiypn3B/ail6lDjPB69YUC WwF1zocdXCQRJPmULd6u+yMtqD/GG5nT5DM/aWZgnCUln9gBl84d2NZ03HdMfBcy1Z wD/MKk8jOyHqicxP9j7ZBE3AMq8RNmShRnYMOYdvwbB8gRBMhqBR0ZXe+KSo+9x3iF 0JvNqMS7nHwrNOpbCyB6/DRyYJZg9oWeIMm2p+LsPkd6Odfj6eZChxYkcXlqXvW0Sg e7761shGiwF2v+PF4ne6URezIAePDO5sa52Gflhw1gkqD2GsCJzPMoJ6YfeBOpMIBn mqAsQiRFmhnNALRsIrZhK6mIPMj0eodL1fDFjHqNYP6Llh8rtIBLN3E1boYktFwy0R 8+oJCk61Iag4DP8vCnWgGI6Rv2IRNxP3y4zzwy+YFINuXRJTwIe5jcKrYoARsNNl3q +l0G5lVrNggJEV+v0CEo1vQA= In-Reply-To: <867cce1ke4.fsf@gnu.org> (Eli Zaretskii's message of "Sun, 18 Aug 2024 08:15:47 +0300") Autocrypt: addr=bjorn.bidar@thaodan.de; prefer-encrypt=nopreference; keydata= mDMEZNfpPhYJKwYBBAHaRw8BAQdACBEmr+0xwIIHZfIDlZmm7sa+lHHSb0g9FZrN6qE6ru60JUJq w7ZybiBCaWRhciA8Ympvcm4uYmlkYXJAdGhhb2Rhbi5kZT6IlgQTFgoAPgIbAwULCQgHAgIiAgYV CgkICwIEFgIDAQIeBwIXgBYhBFHxdut1RzAepymoq1wbdKFlHF9oBQJk1/YmAhkBAAoJEFwbdKFl HF9oB9cBAJoIIGQKXm4cpap+Flxc/EGnYl0123lcEyzuduqvlDT0AQC3OlFKm/OiqJ8IMTrzJRZ8 phFssTkSrrFXnM2jm5PYDoiTBBMWCgA7FiEEUfF263VHMB6nKairXBt0oWUcX2gFAmTX6T4CGwMF CwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQXBt0oWUcX2hbCQEAtru7kvM8hi8zo6z9ux2h K+B5xViKuo7Z8K3IXuK5ugwA+wUfKzomzdBPhfxDsqLcEziGRxoyx0Q3ld9aermBUccHtBxCasO2 cm4gQmlkYXIgPG1lQHRoYW9kYW4uZGU+iJMEExYKADsCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwEC HgcCF4AWIQRR8XbrdUcwHqcpqKtcG3ShZRxfaAUCZNf2FQAKCRBcG3ShZRxfaCzSAP4hZ7cSp0YN XYpcjHdsySh2MuBhhoPeLGXs+2kSiqBiOwD/TP8AgPEg/R+SI9GI9on7fBJJ0mp2IT8kZ2rhDOjg gA6IkwQTFgoAOxYhBFHxdut1RzAepymoq1wbdKFlH X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:290315 Archived-At: Eli Zaretskii writes: >> From: Bj=C3=B6rn Bidar >> Cc: 72526@debbugs.gnu.org >> Date: Sat, 17 Aug 2024 23:50:51 +0300 >>=20 >> Eli Zaretskii writes: >>=20 >> >> > Sorry, I don't see any experts around to ask to do that. >> >>=20 >> >> Maybe the maintainer of the url package? >> > >> > Whom did you have in mind? url.el says "emacs-devel", which is >> > basically no one and everyone. >>=20 >> I don't know, the person that usually deals with the package? > > I couldn't find him or her in the recent logs. I concluded we didn't > have such a person/ > >> >> > Maybe if you'd posted a more detailed description of the problem and >> >> > its context, someone could follow your arguments and do a meaningful >> >> > review. E.g., it sounds from your description like the case of URLs >> >> > where it currently fails was not meant to be supported by this >> >> > library? If so, perhaps an alternative is to submit to this library >> >> > only URLs that it supports, like after stripping the port part? >> >>=20 >> >> The problem is that the user in url-basic-auth when handling urls lik= e ://@ isn't >> >> forwarded to auth-source. Further it also appends to port to the >> >> hostname of host which means that the host is invalid since the hostn= ame >> >> includes the port number. >> >>=20 >> >> >From what I read when looking at url-auth.el at line 84 it does supp= ort >> >> this kind of case of url as it already handles the same type of url w= hen >> >> it deals with ://:@. >> > >> > So how come this code was not fixed since the day it was added to >> > Emacs, so long ago? >>=20 >> I don't know I assume it was never an issue at that time? >> In any case amending the port to the :host key seems like a bug to me. >> Similarly when the user specifies the user in the url it should be >> passed to auth-source so it can find the credentials. > > So please take me through your changes with more detailed > explanations, without assuming I know my way around this code. A few > things bother me just by looking at the diffs: (1) why do we need to > calculate 'server' more than once using the same code in the same > function, and (2) will auth-source-search as called in > url-do-auth-source-search DTRT when called with ':user nil', which > will happen if the last argument is omitted. I also wonder what is > the semantics of the call to auth-source-search in the current code > where the user is omitted. AFAIU, in that case Emacs will prompt the > user for username? If so, why is it a good idea to pass to > auth-source-search USER derived by url-basic-auth, instead of > prompting? 1. url-basic-auth-store uses the 'server' as in the ':' in url-basic-auth-storage. I did not want to change the existing format as I don't know the implications. 2. I tested calling auth-source-search with :user nil and without :user in both cases the result was the same, from this I imply that calling auth-source-search with :user nil is ok. Yes if auth-source-search doesn't find a user for the url url-basic-auth will prompt the user for a user. Why is it a good idea to derive the user by url-basic-auth? Because HTTP basic authentication uses the as specific in RFC 3986 section 3.2.1. Using it in this function to infer the user from the url just follows the standard as already in other programs/Emacs packages. If the user has specified the username they want to identify with at the server asking for it would be redundant and not confirming to the standard. > IOW, I'd like to open what the current code and your changes do for a > more detailed discussion, so we could be sure the change is TRT before > we decide what changes to install. > > Thanks. PS: Reading your message was quite hard as a non-native speaker of English, had to search so many of the acronyms.