https://bugzilla.novell.com/show_bug.cgi?id=740764
https://bugzilla.novell.com/show_bug.cgi?id=740764#c2
Michael Andres changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
InfoProvider|g.roberti@silenti.net |
Resolution| |FIXED
--- Comment #2 from Michael Andres 2012-01-16 12:23:08 CET ---
1.) From the security point of view, /etc/sysconfig/proxy should not contain
proxy 'username:password' embedded in the URL, as the file is world-readable.
The YaST proxy module e.g. would move 'username:password' to ~root/curlrc (read
only for root).
2.) However, if 'username:password' are embedded in the proxy URL in
/etc/sysconfig/proxy (http://user:pass@host:port), any special chars occurring
in username:password (e.g. a '@') must be %-escaped.
According to the log it looks like the not escaped '\@' in your proxy-username
causes the error ('\@' escape does not work here, needs to be '%40').
Preferred solution would be of course using the yast proxy module to define the
proxy settings.
3.) But there is also a bug in libzypps way of handling a correctly escaped
'username:password' in a /etc/sysconfig/proxy URL. libzypp will pass the
embeded credentials to libcurl, and at the same time try to pass matching
credentials found in ~/.curlrc too. This might confuse curl.
This is fixed in libzyp-10.3.6. Embedded credentials will be preferred, .curlrc
will be considered only if URL has no credentials embedded.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.