GNU bug report logs - #72526
31.0.50; [PATCH] Fix url-basic-auth secret search when passing username and/or port

Previous Next

Package: emacs;

Reported by: Björn Bidar <bjorn.bidar <at> thaodan.de>

Date: Thu, 8 Aug 2024 15:03:01 UTC

Severity: normal

Tags: patch

Found in version 31.0.50

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Björn Bidar <bjorn.bidar <at> thaodan.de>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 72526 <at> debbugs.gnu.org
Subject: bug#72526: 31.0.50; [PATCH] Fix url-basic-auth secret search when passing username and/or port
Date: Mon, 19 Aug 2024 09:54:09 +0300

Eli Zaretskii <eliz <at> gnu.org> writes:

>> From: Björn Bidar <bjorn.bidar <at> thaodan.de>
>> Cc: 72526 <at> debbugs.gnu.org
>> Date: Sun, 18 Aug 2024 15:30:22 +0300
>> 
>> Eli Zaretskii <eliz <at> gnu.org> writes:
>> 
>> 1. url-basic-auth-store uses the 'server' as in the '<server>:<port>' in
>>    url-basic-auth-storage. I did not want to change the existing format
>>    as I don't know the implications.
>
> Can you calculate a separate variable once, and then use 'server' and
> that new variable, each one where appropriate?  It simply doesn't look
> clean to recalculate the same value several times.
>
>> 2. I tested calling auth-source-search with :user nil and without :user
>>    in both cases the result was the same, from this I imply that calling
>>    auth-source-search with :user nil is ok.
>
> Wouldn't it be cleaner to omit :user if the value is nil?

It would, how would one do such thing in lisp except of course
having two separate calls one with :user and one without :user.
For C it would be normal to just pass NULL if the argument is optional
(beginner in lisp).

>>    Yes if auth-source-search doesn't find a user for the url
>>    url-basic-auth will prompt the user for a user.
>>    Why is it a good idea to derive the user by url-basic-auth?
>>    Because HTTP basic authentication uses the as specific in RFC 3986
>>    section 3.2.1. Using it in this function to infer the user from the
>>    url just follows the standard as already in other programs/Emacs
>>    packages.
>>    If the user has specified the username they want to identify with
>>    at the server asking for it would be redundant and not confirming to
>>    the standard.
>
> What does the current code do in that case?  Does it completely fail,
> or does it prompt for the username?  If the latter, it would be a
> change in behavior, won't it?

Currently it does ask for the user even if the caller sends the user in the
url. It would be change of behavior, however it is expected that the user is
used in HTTP basic authentication if the the url is 'http://user <at> host'.
I don't think any caller would call the function in such a way without
expecting that user is the username used in the call.

>> PS: Reading your message was quite hard as a non-native speaker of
>> English, had to search so many of the acronyms.
>
> Sorry about that.  (I'm not a native English speaker, either.)

Np, I was wondering if you are (your last name did sound interesting).
This bug report was last modified 77 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.