About open-uri and ENV["HTTP_PROXY"]

Discussion in 'Ruby' started by Anatol Pomozov, Dec 11, 2005.

  1. ------=_Part_7485_31986570.1134326990411
    Content-Type: text/plain; charset=ISO-8859-1
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline

    Hi, all.

    I am investigating problem with Gems and proxy authorization and I have
    question about open-uri code.
    To be precise code from OpenURI.open_loop(uri, options) (Current version
    from CVS)

    when :proxy
    opt_proxy =3D options.fetch:)proxy)
    proxy_user =3D nil
    proxy_pass =3D nil

    proxy option mostly come from ENV and could contain information for basic
    authorization: username and password. Something like this
    http://anatol::8080/
    and right way is parse this string and put proxy_user to anatol, proxy_pass
    to pwd and proxy_url to http://www.proxy.com:8080/

    The same with code a bit below
    when true
    find_proxy =3D lambda {|u| pxy =3D u.find_proxy; pxy ? [pxy, nil, nil=
    ] :
    nil}

    It should be
    when true
    find_proxy =3D lambda {|u| pxy =3D u.find_proxy; pxy ?
    parse_proxy_and_find_authorization_info(pxy) : nil}


    Is it logical??

    --
    anatol (http://pomozov.info)

    ------=_Part_7485_31986570.1134326990411--
     
    Anatol Pomozov, Dec 11, 2005
    #1
    1. Advertising

  2. Anatol Pomozov

    Tanaka Akira Guest

    In article <>,
    Anatol Pomozov <> writes:

    > I am investigating problem with Gems and proxy authorization and I have
    > question about open-uri code.
    > To be precise code from OpenURI.open_loop(uri, options) (Current version
    > from CVS)
    >
    > when :proxy
    > opt_proxy = options.fetch:)proxy)
    > proxy_user = nil
    > proxy_pass = nil
    >
    > proxy option mostly come from ENV and could contain information for basic
    > authorization: username and password. Something like this
    > http://anatol::8080/
    > and right way is parse this string and put proxy_user to anatol, proxy_pass
    > to pwd and proxy_url to http://www.proxy.com:8080/


    Environment variables are not appropriate place to store
    passwords since they are visible from other users.

    Note that RFC 3986 deprecates "user:password" in the
    userinfo field.

    | 3.2.1. User Information
    |
    | The userinfo subcomponent may consist of a user name and, optionally,
    | scheme-specific information about how to gain authorization to access
    | the resource. The user information, if present, is followed by a
    | commercial at-sign ("@") that delimits it from the host.
    |
    | userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
    |
    | Use of the format "user:password" in the userinfo field is
    | deprecated. Applications should not render as clear text any data
    | after the first colon (":") character found within a userinfo
    | subcomponent unless the data after the colon is the empty string
    | (indicating no password). Applications may choose to ignore or
    | reject such data when it is received as part of a reference and
    | should reject the storage of such data in unencrypted form. The
    | passing of authentication information in clear text has proven to be
    | a security risk in almost every case where it has been used.
    |
    | Applications that render a URI for the sake of user feedback, such as
    | in graphical hypertext browsing, should render userinfo in a way that
    | is distinguished from the rest of a URI, when feasible. Such
    | rendering will assist the user in cases where the userinfo has been
    | misleadingly crafted to look like a trusted domain name
    | (Section 7.6).
    --
    Tanaka Akira
     
    Tanaka Akira, Dec 12, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ankit Mehta
    Replies:
    1
    Views:
    1,479
    Simon Brooke
    Sep 29, 2006
  2. Haofei

    DRb with http_proxy

    Haofei, Sep 30, 2006, in forum: Ruby
    Replies:
    1
    Views:
    79
    Eric Hodel
    Sep 30, 2006
  3. TDR
    Replies:
    3
    Views:
    183
    Daniel Berger
    Aug 31, 2007
  4. Jay 99
    Replies:
    2
    Views:
    201
    Jay 99
    Apr 4, 2009
  5. Turbo
    Replies:
    2
    Views:
    167
    Turbo
    Nov 1, 2006
Loading...

Share This Page