Proxy authentication patches for open-uri and rubygems

Tadashi_Kadowaki · April 15, 2006, 5:57am

e$BLgOF$H?=$7$^$9!#e(B

gemse$B$r;H$*$&$H$7$FITJX$r46$8$?$N$G!"%Q%C%A$r:n$j$^$7$?!#e(B

e$B0l$DL$O!“4D6-JQ?te(Bhttp_proxye$B$,e(B"http://user:[email protected]:8080"e$B$H$J$C$F$$$ke(B
e$B>l9g$K$&$^$/G’>Z$,$G$-$F$$$J$$7o$KBP$9$k%Q%C%A$G$9!#e(BCVSe$B$K$”$ke(B1.44e$B$KBP$9$k:9J,$G$9!#e(B
e$B$b$&0l$D$O!"e(Brubygems-0.8.11
e$B$KBP$9$k%Q%C%A$G$9!#$3$l$G!“G’>ZIU$Ne(Bproxye$B$+$i$be(B
rubygemse$B$,;H$($^$9!#$3$A$i$O!“e(BCVSe$B$Ne(Brubygemse$B$O%=!<%9$r8+$?8B$j!”<!$N%j%j!<%9$G$Oe(B
e$B%Q%C%A$NI,MW$O$J$5$=$&$G$9!#e(B
gemse$B$K$O!“e(B/usr/lib/ruby/site_ruby/1.8/rubygems/open-uri.rbe$B$H$$$&%U%!%$%k$,$”$k$N$Ge(B
e$B$3$l$bCV$-49$($kI,MW$,$”$j$^$9!#e(B

*** /usr/lib/ruby/1.8/open-uri.rb.org 2006-02-20 00:17:16.000000000
+0900
— /usr/lib/ruby/1.8/open-uri.rb 2006-04-14 19:07:03.000000000 +0900

* 233,235 **
if proxy
! proxy_uri, proxy_user, proxy_pass = proxy
raise “Non-HTTP proxy URI: #{proxy_uri}” if proxy_uri.class !=
URI::HTTP
— 233,241 ----
if proxy
! if proxy[0].user && proxy[0].password
! proxy_uri = proxy[0]
! proxy_user = proxy[0].user
! proxy_pass = proxy[0].password
! else
! proxy_uri, proxy_user, proxy_pass = proxy
! end
raise “Non-HTTP proxy URI: #{proxy_uri}” if proxy_uri.class !=
URI::HTTP

*** /usr/lib/ruby/site_ruby/1.8/rubygems/remote_installer.rb
2006-04-14 17:22:19.000000000 +0900
— /usr/lib/ruby/site_ruby/1.8/rubygems/remote_installer.rb
2006-04-14 19:14:30.000000000 +0900

*** 72,74 ****
proxy_uri = URI.parse(@http_proxy)
! Net::HTTP::Proxy(proxy_uri.host, proxy_uri.port).new(host, port)
else
— 72,74 ----
proxy_uri = URI.parse(@http_proxy)
! Net::HTTP::Proxy(proxy_uri.host, proxy_uri.port,
proxy_uri.user, proxy_uri.password).new(host, port)
else

Tadashi_Kadowaki · April 15, 2006, 7:16am

In article
[email protected],
“Tadashi Kadowaki” [email protected] writes:

e$B0l$DL$O!“4D6-JQ?te(Bhttp_proxye$B$,e(B"http://user:[email protected]:8080"e$B$H$J$C$F$$$ke(B
e$B>l9g$K$&$^$/G’>Z$,$G$-$F$$$J$$7o$KBP$9$k%Q%C%A$G$9!#e(BCVSe$B$K$”$ke(B1.44e$B$KBP$9$k:9J,$G$9!#e(B

e$B4D6-JQ?t$OB>$N%f!<%6$+$i;2>H$G$-$k$?$a%Q%9%o!<%I$NJ]B8$K$OITe(B
e$BE,@Z$G$9!#$=$N$?$a!"$3$N%Q%C%A$O<u$1F~$l$i$l$^$;$s!#e(B

e$B$J$*!"e(BRFC 3986 e$B$G$Oe(B user:password e$B$re(B userinfo
e$B$KF~$l$k$N$Oe(B
deprecated e$B$H$5$l$F$$$^$9!#e(B

Use of the format “user:password” in the userinfo field is
deprecated. Applications should not render as clear text any data
after the first colon (“:”) character found within a userinfo
subcomponent unless the data after the colon is the empty string
(indicating no password). Applications may choose to ignore or
reject such data when it is received as part of a reference and
should reject the storage of such data in unencrypted form. The
passing of authentication information in clear text has proven to be
a security risk in almost every case where it has been used.

Tadashi_Kadowaki · April 15, 2006, 8:38am

e$B0l$DL$O!“4D6-JQ?te(Bhttp_proxye$B$,e(B"http://user:[email protected]:8080"e$B$H$J$C$F$$$ke(B
e$B>l9g$K$&$^$/G’>Z$,$G$-$F$$$J$$7o$KBP$9$k%Q%C%A$G$9!#e(BCVSe$B$K$”$ke(B1.44e$B$KBP$9$k:9J,$G$9!#e(B

e$B4D6-JQ?t$OB>$N%f!<%6$+$i;2>H$G$-$k$?$a%Q%9%o!<%I$NJ]B8$K$OITe(B
e$BE,@Z$G$9!#$=$N$?$a!"$3$N%Q%C%A$O<u$1F~$l$i$l$^$;$s!#e(B

e$B3N$+$K!“4D6-JQ?t$KF~$l$F$*$/$N$O0BA4$G$O$”$j$^$;$s$M!#e(B
e$B$b$&>/$7!":G?7$Ne(Bopen-uri.rbe$B$He(Bremote_installer.rbe$B$rFI$s$G$_$^$7$?!#e(B
gemse$B$G$O!"4D6-JQ?t$Ne(Bhttp_proxy_user,e$B!!e(Bhttp_proxy_passe$B$r;2>H$9$k$+e(B
e$B%Q%9%o!<%IIU$-$Ne(BURIe$B$,0z?t$H$7$FEO$;$k$3$H$,J,$+$j$^$7$?$N$G!"e(B
e$B%Q%C%A$OI,MW$J$$$h$&$G$9!#e(B

e$B<!$N%j%j!<%94|BT$7$F$$$^$9!#e(B

e$BLgOF!!@5;Ke(B