-
-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
basic-auth user and password are converted to lowercase when passed as part of "host" to URL.build #880
Comments
I don't think it's right to use the |
I agree @webknjaz . Currently it does not raise an error though. The values for basicauth user and password are lowercased and used. Could be something like that:
On the other hand it successfully extracts the basicauth user and password. It could do that before modifying the host to lowercase. |
I think it shouldn't be attempting to extract those fields. The argument is called cc @mjpieters @Dreamsorcerer WDYT? |
I checked that the docs don't advertise the ability to abuse the |
Yes, that shouldn't be allowed in |
|
Agreed. Let's explicitly deprecate parsing the |
Actually, there are 3 options:
I'm actually leaning towards option 2 here because I don't think using |
Given the existence of authority, and the naming and documentation being fairly clear, I would say option 2 would be fine. Few users should have made this mistake. I imagine it could also indicate some possibility of a security issue or similar if the host value comes from user input. e.g. It screws things up if you were adding a user explicitly:
Compare to authority, where this is already correctly validated:
|
Although I'd note that authority appears to have been added in v1.5 around 3 years ago, so maybe some risk with code that predates that. |
Fair. Option 2 seems the best way to go. Option 1 could help with the Hyrum's Law, though. But i don't care enough to insist. Either one would do. By the way, I made the changelog fragment types more accurate so it can now accommodate for deprecations if we end up doing that. |
Describe the bug
user and password casing is preserved when using the constructor:
user and password casing is lost when using
URL.build
:Note that the user & password are extracted from the string passed as
host
.passing user and password explicitly also preserves the casing:
I'd expect either user and password to preserve casing when passed into
host
(preferably) or them not being extracted into theuser
andpassword
attributes and instead remain in the lowercase and encodedhost
attribute.maybe caused by #386
converting the host to lowercase should be done after extracting username / password.
To Reproduce
Expected behavior
Logs/tracebacks
Python Version
multidict Version
yarl Version
OS
Arch Linux
Additional context
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: