bug#4883: 23.1; url-http: wrong server name used for pwd lookup during proxy authentication

bug#4883: 23.1; url-http: wrong server name used for pwd lookup during proxy authentication

[Kai Tetzlaff]

Please write in English if possible, because the Emacs maintainers
usually do not have translators to read other languages for them.

Your bug report will be posted to the bug-gnu-emacs@gnu.org mailing list,
and to the gnu.emacs.bug news group.

Please describe exactly what actions triggered the bug
and the precise symptoms of the bug:

The following describes a problem with password lookup which happens when
trying to download an HTTP document through a proxy server when this proxy
server requires users to authenticate. When trying to find credentials, the
URL lib is using the name of the server in the original download URL instead
of the name of the proxy server for the username/password lookup.

I've tried to analyze what's happening and also have a patch (at the end of
this bug report). But now some more details:

Even though this report describes what i believe is a bug in the url lib, let
me first explain shortly what i've been doing when i discovered the problem:
I've been trying out the irfc package (http://www.emacswiki.org/emacs/irfc.el)
to download RFCs from emacs. At work i can only access the web via an HTTP
proxy server which requires (http basic) authentication.

Using:

(setq url-proxy-services '(("http" . "proxy.example.net:80")))

i then tried to download rfc3098 using irfc-visit. Irfc-visit subsequently
calls url-retrieve with the result of:

(url-generic-parse-url "http://www.ietf.org/rfc/rfc3098.txt")

The functions in the url.el and friends start doing their work. A GET request
gets sent to the proxy server which is answered with a 407 response asking for
authentication. The URL lib detects the authentication request and tries to
obtain the required credentials. This is done by calling:

...
url-get-authentication (url-auth.el)
url-basic-auth (url-auth.el)

and finally:
 
auth-source-user-or-password (auth-source.el)

which uses the name of the server which asks for authentication (and a
protocol identifier) to check if a login/password is stored somewhere (in my
case: ~/authinfo.gpg).

However, the lookup is using www.ietf.org to lookup the password instead of
the name of the proxy server (proxy.example.net). So the lookup fails.

The following patch tries to fix proxy authentication in
url-http-handle-authentication. It is adding a new variable auth-url which
gets set to the proxy url or the original download URL depending on the use of
a proxy server. This new variable is then used in the call to
url-get-authentication (instead of always using the original download URL).

There might be a better solution from someone who has a deeper understanding
of the code in the url lib. But the following solves the problem - at least
for my case:

Index: lisp/url/url-http.el
===================================================================
RCS file: /cvsroot/emacs/emacs/lisp/url/url-http.el,v
retrieving revision 1.64
diff -u -r1.64 url-http.el
--- lisp/url/url-http.el	1 Oct 2009 02:06:55 -0000	1.64
+++ lisp/url/url-http.el	6 Nov 2009 10:25:02 -0000
@@ -315,12 +315,16 @@
 		  '("basic")))
 	(type nil)
 	(url (url-recreate-url url-current-object))
-	(url-basic-auth-storage 'url-http-real-basic-auth-storage)
+	(auth-url (url-recreate-url
+		   (if (and proxy (boundp 'url-http-proxy))
+		       url-http-proxy
+		     url-current-object)))
+	(url-basic-auth-storage (if proxy
+				    ;; Cheating, but who cares? :)
+				    'url-http-proxy-basic-auth-storage
+				  'url-http-real-basic-auth-storage))
 	auth
 	(strength 0))
-    ;; Cheating, but who cares? :)
-    (if proxy
-	(setq url-basic-auth-storage 'url-http-proxy-basic-auth-storage))
 
     ;; find strongest supported auth
     (dolist (this-auth auths)
@@ -347,7 +351,7 @@
 		  " send it to " url-bug-address ".<hr>")
 	  (setq status t))
       (let* ((args (url-parse-args (subst-char-in-string ?, ?\; auth)))
-	     (auth (url-get-authentication url (cdr-safe (assoc "realm" args))
+	     (auth (url-get-authentication auth-url (cdr-safe (assoc "realm" args))
 					   type t args)))
 	(if (not auth)
 	    (setq success t)


If Emacs crashed, and you have the Emacs process in the gdb debugger,
please include the output from the following gdb commands:
    `bt full' and `xbacktrace'.
If you would like to further debug the crash, please read the file
c:/Programme/emacs-23.1/etc/DEBUG for instructions.


In GNU Emacs 23.1.1 (i386-mingw-nt5.1.2600)
 of 2009-07-30 on SOFT-MJASON
Windowing system distributor `Microsoft Corp.', version 5.1.2600
configured using `configure --with-gcc (4.4)'

Important settings:
  value of $LC_ALL: nil
  value of $LC_COLLATE: nil
  value of $LC_CTYPE: nil
  value of $LC_MESSAGES: nil
  value of $LC_MONETARY: nil
  value of $LC_NUMERIC: nil
  value of $LC_TIME: nil
  value of $LANG: DEU
  value of $XMODIFIERS: nil
  locale-coding-system: cp1252
  default-enable-multibyte-characters: t

Major mode: Lisp Interaction

Minor modes in effect:
  icicle-mode: t
  minibuffer-depth-indicate-mode: t
  shell-dirtrack-mode: t
  icomplete-mode: t
  pretty-control-l-mode: t
  delete-selection-mode: t
  show-paren-mode: t
  global-auto-revert-mode: t
  display-time-mode: t
  tooltip-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  global-auto-composition-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  size-indication-mode: t
  column-number-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent input:
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<menu-bar> <help-menu> <send-emacs-bug-report>

Recent messages:
Turning OFF Icicle mode...done
ad-handle-definition: `choose-completion-string' got redefined
Turning ON Icicle mode...done
ad-handle-definition: `choose-completion-string' got redefined
Turning OFF Icicle mode...done
Loading c:/kt/.emacs.d/init/rc/rc-misc.el (source)...done
Loading c:/kt/.emacs.d/tmp/session.el (source)...done
ad-handle-definition: `choose-completion-string' got redefined
Turning ON Icicle mode...done
Finished .emacs

bug#4883: marked as done (23.1; url-http: wrong server name used for pwd lookup during proxy authentication)

[Emacs bug Tracking System]

[-- Attachment #1: Type: text/plain, Size: 952 bytes --]

Your message dated Sun, 08 Nov 2009 00:33:48 -0500
with message-id <87fx8pmvgj.fsf@stupidchicken.com>
and subject line Re: 23.1; url-http: wrong server name used for pwd lookup during proxy authentication
has caused the Emacs bug report #4883,
regarding 23.1; url-http: wrong server name used for pwd lookup during proxy authentication
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@emacsbugs.donarmstrong.com
immediately.)


-- 
4883: http://emacsbugs.donarmstrong.com/cgi-bin/bugreport.cgi?bug=4883
Emacs Bug Tracking System
Contact owner@emacsbugs.donarmstrong.com with problems

[-- Attachment #2: Type: message/rfc822, Size: 9208 bytes --]

From: Kai Tetzlaff <kai.tetzlaff@web.de>
To: bug-gnu-emacs@gnu.org
Subject: 23.1; url-http: wrong server name used for pwd lookup during proxy authentication
Date: Sat, 07 Nov 2009 12:43:01 +0100
Message-ID: <82bpje5zne.wl%kai.tetzlaff@web.de>


Please write in English if possible, because the Emacs maintainers
usually do not have translators to read other languages for them.

Your bug report will be posted to the bug-gnu-emacs@gnu.org mailing list,
and to the gnu.emacs.bug news group.

Please describe exactly what actions triggered the bug
and the precise symptoms of the bug:

The following describes a problem with password lookup which happens when
trying to download an HTTP document through a proxy server when this proxy
server requires users to authenticate. When trying to find credentials, the
URL lib is using the name of the server in the original download URL instead
of the name of the proxy server for the username/password lookup.

I've tried to analyze what's happening and also have a patch (at the end of
this bug report). But now some more details:

Even though this report describes what i believe is a bug in the url lib, let
me first explain shortly what i've been doing when i discovered the problem:
I've been trying out the irfc package (http://www.emacswiki.org/emacs/irfc.el)
to download RFCs from emacs. At work i can only access the web via an HTTP
proxy server which requires (http basic) authentication.

Using:

(setq url-proxy-services '(("http" . "proxy.example.net:80")))

i then tried to download rfc3098 using irfc-visit. Irfc-visit subsequently
calls url-retrieve with the result of:

(url-generic-parse-url "http://www.ietf.org/rfc/rfc3098.txt")

The functions in the url.el and friends start doing their work. A GET request
gets sent to the proxy server which is answered with a 407 response asking for
authentication. The URL lib detects the authentication request and tries to
obtain the required credentials. This is done by calling:

...
url-get-authentication (url-auth.el)
url-basic-auth (url-auth.el)

and finally:
 
auth-source-user-or-password (auth-source.el)

which uses the name of the server which asks for authentication (and a
protocol identifier) to check if a login/password is stored somewhere (in my
case: ~/authinfo.gpg).

However, the lookup is using www.ietf.org to lookup the password instead of
the name of the proxy server (proxy.example.net). So the lookup fails.

The following patch tries to fix proxy authentication in
url-http-handle-authentication. It is adding a new variable auth-url which
gets set to the proxy url or the original download URL depending on the use of
a proxy server. This new variable is then used in the call to
url-get-authentication (instead of always using the original download URL).

There might be a better solution from someone who has a deeper understanding
of the code in the url lib. But the following solves the problem - at least
for my case:

Index: lisp/url/url-http.el
===================================================================
RCS file: /cvsroot/emacs/emacs/lisp/url/url-http.el,v
retrieving revision 1.64
diff -u -r1.64 url-http.el
--- lisp/url/url-http.el	1 Oct 2009 02:06:55 -0000	1.64
+++ lisp/url/url-http.el	6 Nov 2009 10:25:02 -0000
@@ -315,12 +315,16 @@
 		  '("basic")))
 	(type nil)
 	(url (url-recreate-url url-current-object))
-	(url-basic-auth-storage 'url-http-real-basic-auth-storage)
+	(auth-url (url-recreate-url
+		   (if (and proxy (boundp 'url-http-proxy))
+		       url-http-proxy
+		     url-current-object)))
+	(url-basic-auth-storage (if proxy
+				    ;; Cheating, but who cares? :)
+				    'url-http-proxy-basic-auth-storage
+				  'url-http-real-basic-auth-storage))
 	auth
 	(strength 0))
-    ;; Cheating, but who cares? :)
-    (if proxy
-	(setq url-basic-auth-storage 'url-http-proxy-basic-auth-storage))
 
     ;; find strongest supported auth
     (dolist (this-auth auths)
@@ -347,7 +351,7 @@
 		  " send it to " url-bug-address ".<hr>")
 	  (setq status t))
       (let* ((args (url-parse-args (subst-char-in-string ?, ?\; auth)))
-	     (auth (url-get-authentication url (cdr-safe (assoc "realm" args))
+	     (auth (url-get-authentication auth-url (cdr-safe (assoc "realm" args))
 					   type t args)))
 	(if (not auth)
 	    (setq success t)


If Emacs crashed, and you have the Emacs process in the gdb debugger,
please include the output from the following gdb commands:
    `bt full' and `xbacktrace'.
If you would like to further debug the crash, please read the file
c:/Programme/emacs-23.1/etc/DEBUG for instructions.


In GNU Emacs 23.1.1 (i386-mingw-nt5.1.2600)
 of 2009-07-30 on SOFT-MJASON
Windowing system distributor `Microsoft Corp.', version 5.1.2600
configured using `configure --with-gcc (4.4)'

Important settings:
  value of $LC_ALL: nil
  value of $LC_COLLATE: nil
  value of $LC_CTYPE: nil
  value of $LC_MESSAGES: nil
  value of $LC_MONETARY: nil
  value of $LC_NUMERIC: nil
  value of $LC_TIME: nil
  value of $LANG: DEU
  value of $XMODIFIERS: nil
  locale-coding-system: cp1252
  default-enable-multibyte-characters: t

Major mode: Lisp Interaction

Minor modes in effect:
  icicle-mode: t
  minibuffer-depth-indicate-mode: t
  shell-dirtrack-mode: t
  icomplete-mode: t
  pretty-control-l-mode: t
  delete-selection-mode: t
  show-paren-mode: t
  global-auto-revert-mode: t
  display-time-mode: t
  tooltip-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  global-auto-composition-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  size-indication-mode: t
  column-number-mode: t
  line-number-mode: t
  transient-mark-mode: t

Recent input:
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<help-echo> <help-echo> <help-echo> <help-echo> <help-echo> 
<menu-bar> <help-menu> <send-emacs-bug-report>

Recent messages:
Turning OFF Icicle mode...done
ad-handle-definition: `choose-completion-string' got redefined
Turning ON Icicle mode...done
ad-handle-definition: `choose-completion-string' got redefined
Turning OFF Icicle mode...done
Loading c:/kt/.emacs.d/init/rc/rc-misc.el (source)...done
Loading c:/kt/.emacs.d/tmp/session.el (source)...done
ad-handle-definition: `choose-completion-string' got redefined
Turning ON Icicle mode...done
Finished .emacs



[-- Attachment #3: Type: message/rfc822, Size: 1911 bytes --]

From: Chong Yidong <cyd@stupidchicken.com>
To: Kai Tetzlaff <kai.tetzlaff@web.de>
Cc: 4883-done@emacsbugs.donarmstrong.com
Subject: Re: 23.1; url-http: wrong server name used for pwd lookup during proxy authentication
Date: Sun, 08 Nov 2009 00:33:48 -0500
Message-ID: <87fx8pmvgj.fsf@stupidchicken.com>

> The following patch tries to fix proxy authentication in
> url-http-handle-authentication. It is adding a new variable auth-url
> which gets set to the proxy url or the original download URL depending
> on the use of a proxy server. This new variable is then used in the
> call to url-get-authentication (instead of always using the original
> download URL).

The patch looks good.  I've checked it into CVS; thanks.