Issue #12921 has been updated by Yuri Samoilenko.


Shyouhei Urabe wrote:
> You have to understand that environment variables are in fact insecure.  It is a very bad idea to store passwords there.  Surprising or not, insecure is insecure.  We shall not introduce this.

What do you mean when say "insecure"? Storing login and password in filesystem and then read it and pass to http request manually is secure? Insecure is availability to pass login/password in plain form like "http://user:password / 192.168.1.1:3128" but how it linked to Ruby? 

----------------------------------------
Bug #12921: Retrieve user and password for proxy from env
https://bugs.ruby-lang.org/issues/12921#change-61806

* Author: Sergey Fedosov
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: 
* Backport: 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN
----------------------------------------
If ENV['http_proxy'] have some like 'http://user:password / 192.168.1.1:3128' Net::HTTP will send request throught proxy without user and pass and proxy response with "407 Proxy authentication required"

I'm read discussion in #10652, but reason for reverting seems to me a little strange.

Mr. Tanaka wrote that other utils allow storing password in configuration file and "I think the missing piece is a library for password store for storing passwords in a file.".
But ruby has no similar file. Set http_proxy env is standard way for define proxy configuration, with credential too. Most popular utils, application and language allow that variant. Ruby is said to follow the principle of least astonishment (POLA), isn't ? Why not make the  behavior of a ruby least surprising?

Otherwise the programmer has to create custom server-specific configuration logic(in most cases the trash). Any gems do not support setup proxy setting and therefore it is necessary to monkey-patching... It's look like dirty hack rather than following standarts.

P.S. sorry for my english. GT rules


---Files--------------------------------
proxy_credential_from_env.patch (617 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>