Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libcurl: unexpected url-decoding for CURLOPT_PROXYPASSWORD & CURLOPT_PROXYUSERNAME values #13265

Closed
tilicho opened this issue Apr 2, 2024 · 0 comments
Closed

libcurl: unexpected url-decoding for CURLOPT_PROXYPASSWORD & CURLOPT_PROXYUSERNAME values #13265

tilicho opened this issue Apr 2, 2024 · 0 comments
Assignees
@bagder
Labels
authentication connecting & proxies

Comments

@tilicho
Copy link

tilicho commented Apr 2, 2024

I did this

#include <curl/curl.h>

int main(void)
{
  CURL *curl = curl_easy_init();
  if(curl) {
    CURLcode res;
    curl_easy_setopt(curl, CURLOPT_URL, "http://curl.se");
    curl_easy_setopt(curl, CURLOPT_PROXY, "http://curl.se:80");
    curl_easy_setopt(curl, CURLOPT_PROXYUSERNAME, "mrsmith%aaa");
    curl_easy_setopt(curl, CURLOPT_PROXYPASSWORD, "qwerty%4b!");
    curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
    res = curl_easy_perform(curl);
    curl_easy_cleanup(curl);
  }
  return 0;
}

I expected the following

Proxy should get username "mrsmith%aaa" and password "qwerty%4b!".

But proxy gets this:

* Proxy auth using Basic with user 'mrsmitha'
> GET http://curl.se/ HTTP/1.1
Host: curl.se
Proxy-Authorization: Basic bXJzbWl0aKphOnF3ZXJ0eUsh
Accept: */*
Proxy-Connection: Keep-Alive

After base64 decoding auth string "bXJzbWl0aKphOnF3ZXJ0eUsh" is "mrsmitha:qwertyK!".
But auth string should be "mrsmith%aaa:qwerty%4b!".

According documentation, CURLOPT_PROXYUSERNAME and CURLOPT_PROXYPASSWORD values are not supposed to be url-encoded.
Only CURLOPT_PROXYUSERPWD value is supposed to be url-encoded.

curl/libcurl version

8.7.0 and earlier

operating system

all
@bagder bagder self-assigned this Apr 2, 2024
bagder added a commit that referenced this issue Apr 3, 2024
@bagder
url: do not URL decode proxy crendentials
00febea 
The two options CURLOPT_PROXYUSERNAME and CURLOPT_PROXYPASSWORD set the
actual names as-is, not URL encoded.

Modified test 503 to use percent-encoded strings in the credential
strings that should be passed on as-is.

Reported-by: Sergey Ogryzkov
Fixes #13265
@bagder bagder mentioned this issue Apr 3, 2024
Closed
@bagder bagder closed this as completed in d5e83eb Apr 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
authentication connecting & proxies
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

url: do not URL decode proxy credentials curl/curl
2 participants
@bagder @tilicho