GNU bug report logs - #72526
31.0.50; [PATCH] Fix url-basic-auth secret search when passing username and/or port

Previous Next

Full log

Message #46 received at 72526 <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Björn Bidar <bjorn.bidar <at> thaodan.de>
Cc: 72526 <at> debbugs.gnu.org
Subject: Re: bug#72526: 31.0.50; [PATCH] Fix url-basic-auth secret search
 when passing username and/or port
Date: Sat, 24 Aug 2024 15:51:40 +0300

> From: Björn Bidar <bjorn.bidar <at> thaodan.de>
> Cc: 72526-done <at> debbugs.gnu.org
> Date: Sat, 24 Aug 2024 14:59:29 +0300
> 
> Eli Zaretskii <eliz <at> gnu.org> writes:
> 
> >> From: Björn Bidar <bjorn.bidar <at> thaodan.de>
> >> Cc: 72526 <at> debbugs.gnu.org
> >> Date: Mon, 19 Aug 2024 09:54:09 +0300
> >> 
> >> Eli Zaretskii <eliz <at> gnu.org> writes:
> >> 
> >> >> From: Björn Bidar <bjorn.bidar <at> thaodan.de>
> >> >> Cc: 72526 <at> debbugs.gnu.org
> >> >> Date: Sun, 18 Aug 2024 15:30:22 +0300
> >> >> 
> >> >> Eli Zaretskii <eliz <at> gnu.org> writes:
> >> >> 
> >> >> 1. url-basic-auth-store uses the 'server' as in the '<server>:<port>' in
> >> >>    url-basic-auth-storage. I did not want to change the existing format
> >> >>    as I don't know the implications.
> >> >
> >> > Can you calculate a separate variable once, and then use 'server' and
> >> > that new variable, each one where appropriate?  It simply doesn't look
> >> > clean to recalculate the same value several times.
> >> >
> >> >> 2. I tested calling auth-source-search with :user nil and without :user
> >> >>    in both cases the result was the same, from this I imply that calling
> >> >>    auth-source-search with :user nil is ok.
> >> >
> >> > Wouldn't it be cleaner to omit :user if the value is nil?
> >> 
> >> It would, how would one do such thing in lisp except of course
> >> having two separate calls one with :user and one without :user.
> >> For C it would be normal to just pass NULL if the argument is optional
> >> (beginner in lisp).
> >> 
> >> >>    Yes if auth-source-search doesn't find a user for the url
> >> >>    url-basic-auth will prompt the user for a user.
> >> >>    Why is it a good idea to derive the user by url-basic-auth?
> >> >>    Because HTTP basic authentication uses the as specific in RFC 3986
> >> >>    section 3.2.1. Using it in this function to infer the user from the
> >> >>    url just follows the standard as already in other programs/Emacs
> >> >>    packages.
> >> >>    If the user has specified the username they want to identify with
> >> >>    at the server asking for it would be redundant and not confirming to
> >> >>    the standard.
> >> >
> >> > What does the current code do in that case?  Does it completely fail,
> >> > or does it prompt for the username?  If the latter, it would be a
> >> > change in behavior, won't it?
> >> 
> >> Currently it does ask for the user even if the caller sends the user in the
> >> url. It would be change of behavior, however it is expected that the user is
> >> used in HTTP basic authentication if the the url is 'http://user <at> host'.
> >> I don't think any caller would call the function in such a way without
> >> expecting that user is the username used in the call.
> >
> > Thanks, so I installed the patch on the master branch, and I'm now
> > closing this bug.
> 
> Would it make sense to apply it to Emacs 30.1 too?

It's too late for behavior changes on the release branch, sorry.

> What about the other patch? Should :user only be passed to
> auth-source-search if there was a user in the url for the patch to be
> ok?

Sorry, forgot to push that.  Done now.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.