Setting CURLOPT_NETRC breaks basic auth credential quoting in curl 7.85 (7.84?) #9709
Assignees
Labels
Comments
|
Actually I can reproduce this, I was just using the wrong version of libcurl. Example #include <stdio.h>
#include <curl/curl.h>
int main(void)
{
printf("%s\n", curl_version());
CURL *curl;
CURLcode res;
curl_global_init(CURL_GLOBAL_DEFAULT);
curl = curl_easy_init();
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL, "http://foo%40bar:secret@localhost:8000/");
curl_easy_setopt(curl, CURLOPT_NETRC, CURL_NETRC_OPTIONAL);
res = curl_easy_perform(curl);
if(res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n",
curl_easy_strerror(res));
curl_easy_cleanup(curl);
}
curl_global_cleanup();
return 0;
}Compare the |
bagder
added a commit
that referenced
this issue
Oct 12, 2022
Reported-by: Jonas Haag Fixes #9709 Closes #....
bagder
added a commit
that referenced
this issue
Oct 13, 2022
Reported-by: Jonas Haag Fixes #9709 Closes #....
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
xref mamba-org/mamba#2010
In Mamba we set
CURLOPT_NETRC: https://github.com/mamba-org/mamba/blob/f7a001e24df59ec8e35b45b2e404cd8b049c8eb9/libmamba/src/core/fetch.cpp#L230-L231In one of 7.85 or 7.84 this interacts with basic auth credentials quoting so that credentails given in an URL like
will be sent as
user%40hostin theAuthorizationheader. In curl 7.83 they were sent asuser@host.If I remove the line that sets
CURLOPT_NETRCthen it works fine as well, so there seems to be an interaction between netrc and quoted credentials that has changed in either 7.84 or 7.85. Maybe one of #9243 or #8908?I didn't test 7.84, only 7.83 and 7.85, because 7.84 is not available on conda-forge.
Unfortunately I'm unable to reproduce this outside of Mamba. I tried a C API example and pycurl but in both cases quoting is correct.
operating system
Can reproduce on Linux and macOS.
The text was updated successfully, but these errors were encountered: