Sure I can provide the patch if you want,
Would basically just have to change
user = m.group("user")
passwd = m.group("passwd")
to
user = urllib.unquote(m.group("user"))
passwd = urllib.unquote(m.group("passwd"))
everywhere you parse the credentials.
On Sep 29, 11:35 am, mdipierro <[email protected]> wrote:
> Ignore my previous email... there is no need with a patch for what you
> are suggestion...let me think about this some more.
>
> On Sep 29, 11:01 am, Josh J <[email protected]> wrote:
>
> > Hey all,
>
> > I've found an issue with SQLDB when developing my application. The
> > URI handling does not allow special characters in database passwords.
> > Unfortunately, I must connect to the database from my application
> > using a password with special characters.
> > eg. Consider the URI for a database with has an @ in the password:
> > postgres://username:p...@ssword@localhost:5432/database
>
> > That is the simplest way to break the current URI handling. Consider
> > a more complex password like �...@b:3/c”, which is a valid postgres
> > password and probably valid in other DBMS as well. It would build a
> > URI that looks something like:
> > postgres://username:a...@b:3/c...@host:port/database
>
> > The regular expression CAN be carefully modified to allow all of
> > these characters in the password, but what about if you had special
> > characters in your username too? Imagine if you had a (valid but
> > contrived) postgres username like “u...@host/group:subgroup” with the
> > same �...@b:3/c” password as before. Then your URI would look something
> > like:
> > postgres://u...@host/group:subgroup:a...@b:3/c...@host:port/database
>
> > I think this exposes a problem in general with parsing username and
> > passwords from a URI, in that if you have these special characters you
> > can no longer parse them with a simple regular expression. If you look
> > at Section 3.1 of RFC 1738 - Uniform Resource Locators they already
> > thought of this, and they say that within the user and password field
> > you should encode any ":", "@", or "/".
>
> > I have tried modifying SQLDB to pass the username and password
> > through the urllib.unquote function as follows:
> > user = urllib.unquote(m.group("user"))
> > passwd = urllib.unquote(m.group("passwd"))
>
> > Then when opening the database do something like this:
> > SQLDB("postgres://%(user)s:%(pass)s...@localhost:5432/database" % \
> > ({'user': urllib.quote("test"),
> > 'pass':urllib.quote("p...@ssword"})))
>
> > This works fine for me. And, passwords without special characters
> > will be unmodified by urllib.unquote(). In this way backwards
> > compatibility is mostly intact. However consider a user who currently
> > has a password with a % character. Even though it works fine now, if
> > you were to pass the password through urllib.unquote then it would
> > assume the % was an escape sequence and produce unexpected results for
> > them.
>
> > What do you think?
>
> > Regards,
>
> > Josh Jaques
> > Seccuris Inc.
>
>
