Issue #12921 has been updated by Sergey Fedosov.


Shyouhei Urabe wrote:
> Yuri Samoilenko wrote:
> > What do you mean when say "insecure"? Storing login and password in filesystem and then read it and pass to http request manually is secure? Insecure is availability to pass login/password in plain form like "http://user:password / 192.168.1.1:3128" but how it linked to Ruby?
> 
> I'm not talking about files, but environment variables.  On some operating systems, a process environment variable is visible from any users, not only you.  Exposing authorization info to that sort of area is not a safe thing.  ENV['http_proxy'] should not include such info.  Further reading: http://yong321.freeshell.org/computer/ProcEnv.txt

Yuri Samoilenko said than it's operation system problem, if any users can read you env. Not ruby. 
Anyway, http-proxy it's standart way set proxy and with auth too.


----------------------------------------
Bug #12921: Retrieve user and password for proxy from env
https://bugs.ruby-lang.org/issues/12921#change-61813

* Author: Sergey Fedosov
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: 
* Backport: 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN
----------------------------------------
If ENV['http_proxy'] have some like 'http://user:password / 192.168.1.1:3128' Net::HTTP will send request throught proxy without user and pass and proxy response with "407 Proxy authentication required"

I'm read discussion in #10652, but reason for reverting seems to me a little strange.

Mr. Tanaka wrote that other utils allow storing password in configuration file and "I think the missing piece is a library for password store for storing passwords in a file.".
But ruby has no similar file. Set http_proxy env is standard way for define proxy configuration, with credential too. Most popular utils, application and language allow that variant. Ruby is said to follow the principle of least astonishment (POLA), isn't ? Why not make the  behavior of a ruby least surprising?

Otherwise the programmer has to create custom server-specific configuration logic(in most cases the trash). Any gems do not support setup proxy setting and therefore it is necessary to monkey-patching... It's look like dirty hack rather than following standarts.

P.S. sorry for my english. GT rules


---Files--------------------------------
proxy_credential_from_env.patch (617 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>