[MPlayer-dev-eng] [PATCH 1/7] Unescape login/password before base64 encode

Clément Bœsch ubitux at gmail.com
Thu Nov 11 23:05:03 CET 2010


On Thu, Nov 11, 2010 at 08:36:07PM +0100, Reimar Döffinger wrote:
> On Thu, Nov 11, 2010 at 01:41:39PM +0100, Clément Bœsch wrote:
> > > And what about unescaping in url_new when username/password is assigned?
> > 
> > Yes, this seems actually to be a better solution.
> 
> Why not like patch below?
> 

Oh… I feel stupid :)

Yes please, commit this version.

> > > > > I don't think escaping is supposed to be applied to anything else.
> > > > 
> > > > We could also have users who try to make special character by urlencoding
> > > > themselves the password (special char not easy to escape with the shell,
> > > > or simply break url parsing in MPlayer because of ':' or '@' in it).
> > > > MPlayer urlencode won't change the string, but the http auth code will be
> > > > able to decode it.
> > > 
> > > Well, thinking more about it I have the suspicion that your patch will
> > > actually break e.g. %20 as password, it well end up using a single space
> > > as password (unless you pre-escape it of course)...
> > > Doing it in url_new would at least allow the other method of specifying
> > > it...
> > > I'd actually be quite curious what webbrowser do in such a case.
> > 
> > MPlayer is closer to curl than a browser in term of use, so I just
> > compared with it, and here is the behaviour:
> > 
> >   curl 'http://usr:%20@localhost:8000'     => 'dXNyOiA='     => 'usr: '
> >   curl 'http://locahost:8000' -u 'usr:%20' => 'dXNyOiUyMA==' => 'usr:%20'
> > 
> > So indeed, unescaping in url_new seems to be the right thing to do. Patch
> > attached.
> 
> Very nice test, that gives me a lot more confidence that we are doing something
> sane.
> 

Also note urlencoding the password for an http proxy with MPlayer will be
the only solution to specify a "complex" password since there is no
-proxy-user and -proxy-passwd. But well, it will be possible. Maybe more
than an example in the man pages will be needed.

So please, commit this so I can go ahead for the next issue.

Anyway, thanks for your implication :)

> Index: url.c
> ===================================================================
> --- url.c       (revision 32620)
> +++ url.c       (working copy)
> @@ -153,7 +153,9 @@
>                         }
>                         strncpy( Curl->password, ptr3+1, len2);
>                         Curl->password[len2]='\0';
> +                       url_unescape_string(Curl->password, Curl->password);
>                 }
> +               url_unescape_string(Curl->username, Curl->username);
>                 ptr1 = ptr2+1;
>                 pos1 = ptr1-escfilename;
>         }
> @@ -252,7 +254,8 @@
>  
>  
>  /* Replace escape sequences in an URL (or a part of an URL) */
> -/* works like strcpy(), but without return argument */
> +/* works like strcpy(), but without return argument,
> +   except that outbuf == inbuf is allowed */
>  void
>  url_unescape_string(char *outbuf, const char *inbuf)
>  {
> _______________________________________________
> MPlayer-dev-eng mailing list
> MPlayer-dev-eng at mplayerhq.hu
> https://lists.mplayerhq.hu/mailman/listinfo/mplayer-dev-eng

-- 
Clément B.
Not sent from a jesusPhone.


More information about the MPlayer-dev-eng mailing list