Skip to content

Fix basic auth built from percent-encoded URLs #143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 15, 2024
Merged

Fix basic auth built from percent-encoded URLs #143

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
12c6e44
Fix basic auth built from percent-encoded URLs
pquentin Jan 5, 2024
23f9946
Fix auth with colon is userinfo username
pquentin Jan 15, 2024
File filter

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion elastic_transport/client_utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import binascii
import dataclasses
import re
import urllib.parse
from platform import python_version
from typing import Optional, Tuple, TypeVar, Union
from urllib.parse import quote as _quote
Expand Down Expand Up @@ -218,7 +219,11 @@ def url_to_node_config(

headers = {}
if parsed_url.auth:
username, _, password = parsed_url.auth.partition(":")
# `urllib3.util.url_parse` ensures `parsed_url` is correctly
# percent-encoded but does not percent-decode userinfo, so we have to
# do it ourselves to build the basic auth header correctly.
auth = urllib.parse.unquote(parsed_url.auth)
username, _, password = auth.partition(":")
Copy link
Contributor

@technige technige Jan 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it not be (slightly) better to partition first, and then unquote? In the (extreme) case that the username contains an encoded colon (I can't imagine why, but it could) then this would partition in the wrong place. The actual separator we're looking for should never be encoded by definition, though.
Copy link
Member Author

@pquentin pquentin Jan 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, fixed in 23f9946. (I meant "colon in userinfo username, not is.)
headers["authorization"] = basic_auth_to_header((username, password))

host = parsed_url.host.strip("[]")
Expand Down
9 changes: 8 additions & 1 deletion tests/test_client_utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,9 +236,16 @@ def test_url_with_auth_into_authorization():

node_config = url_to_node_config("http://me@example.com:password@localhost:9200")
assert node_config.headers == {
"Authorization": "Basic bWUlNDBleGFtcGxlLmNvbTpwYXNzd29yZA=="
"Authorization": "Basic bWVAZXhhbXBsZS5jb206cGFzc3dvcmQ="
}

# ensure username and password are passed to basic auth unmodified
basic_auth = basic_auth_to_header(("user@", "@password"))
node_config = url_to_node_config("http://user@:@password@localhost:9200")
assert node_config.headers == {"Authorization": basic_auth}
node_config = url_to_node_config("http://user%40:%40password@localhost:9200")
assert node_config.headers == {"Authorization": basic_auth}


@pytest.mark.parametrize(
"basic_auth", ["", b"", ("",), ("", 1), (1, ""), ["", ""], False, object()]
Expand Down