Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

URL parser treats blank user as no user (CURLUE_NO_USER) #9088

Closed
jay opened this issue Jul 3, 2022 · 2 comments
Closed

URL parser treats blank user as no user (CURLUE_NO_USER) #9088

jay opened this issue Jul 3, 2022 · 2 comments
Assignees
Labels

Comments

@jay
Copy link
Member

jay commented Jul 3, 2022

I did this

http://:@corporate_proxy:8080/ from jeroen/curl#237. It seems to me the reporter @OscarLane wants to be able to set ALL_PROXY with a blank user/pass so that libcurl w/SSPI will use his Windows credentials.

When the username is retrieved from the CURLU it returns CURLUE_NO_USER which is documented as "There is no user part in the URL."

curl/lib/url.c

Lines 2502 to 2513 in 45ac4d0

/* Is there a username and password given in this proxy url? */
uc = curl_url_get(uhp, CURLUPART_USER, &proxyuser, CURLU_URLDECODE);
if(uc && (uc != CURLUE_NO_USER))
goto error;
uc = curl_url_get(uhp, CURLUPART_PASSWORD, &proxypasswd, CURLU_URLDECODE);
if(uc && (uc != CURLUE_NO_PASSWORD))
goto error;
if(proxyuser || proxypasswd) {
Curl_safefree(proxyinfo->user);
proxyinfo->user = proxyuser;
result = Curl_setstropt(&data->state.aptr.proxyuser, proxyuser);

I expected the following

I'm not sure on this one. Is this expected?

curl/libcurl version

curl 7.84.1-DEV (i386-pc-win32) libcurl/7.84.1-DEV Schannel WinIDN
Release-Date: [unreleased]
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS Debug HSTS IDN IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI Unicode UnixSockets

/cc @jeroen

@bagder
Copy link
Member

bagder commented Jul 3, 2022

Is this expected?

I don't think anyone has thought about it. The entire "set blank user name to trigger X" is a somewhat of a kludge, so it's not always easy to tell how it should work!

@jay
Copy link
Member Author

jay commented Jul 4, 2022

I don't see any downsides to changing it. The change below fixes it but then will also do it even if the login string is empty, for example http://@test.com

diff --git a/lib/url.c b/lib/url.c
index 1114c6c..0ce1aa1 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2894,7 +2894,7 @@ CURLcode Curl_parse_login_details(const char *login, const size_t len,
                                  (size_t)(login + len - osep)) - 1 : 0);
 
   /* Allocate the user portion buffer */
-  if(userp && ulen) {
+  if(userp) {
     ubuf = malloc(ulen + 1);
     if(!ubuf)
       result = CURLE_OUT_OF_MEMORY;

bagder added a commit that referenced this issue Sep 25, 2022
Adjusted test 1560 to verify

Reported-by: Jay Satiro

Fixes #9088
@bagder bagder self-assigned this Sep 25, 2022
@bagder bagder closed this as completed in 1a87a1e Sep 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging a pull request may close this issue.

2 participants