Issue #12921 has been updated by Shyouhei Urabe.


Motohiro KOSAKI wrote:
>  Modern OS don't have such mistake.

I can't make it sure but if environment variables are in fact kept secure for all platforms that run ruby, then I'm happy to withdraw my concern about security in ENV['http_proxy'].

----------------------------------------
Bug #12921: Retrieve user and password for proxy from env
https://bugs.ruby-lang.org/issues/12921#change-61829

* Author: Sergey Fedosov
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: 
* Backport: 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN
----------------------------------------
If ENV['http_proxy'] have some like 'http://user:password / 192.168.1.1:3128' Net::HTTP will send request throught proxy without user and pass and proxy response with "407 Proxy authentication required"

I'm read discussion in #10652, but reason for reverting seems to me a little strange.

Mr. Tanaka wrote that other utils allow storing password in configuration file and "I think the missing piece is a library for password store for storing passwords in a file.".
But ruby has no similar file. Set http_proxy env is standard way for define proxy configuration, with credential too. Most popular utils, application and language allow that variant. Ruby is said to follow the principle of least astonishment (POLA), isn't ? Why not make the  behavior of a ruby least surprising?

Otherwise the programmer has to create custom server-specific configuration logic(in most cases the trash). Any gems do not support setup proxy setting and therefore it is necessary to monkey-patching... It's look like dirty hack rather than following standarts.

P.S. sorry for my english. GT rules


---Files--------------------------------
proxy_credential_from_env.patch (617 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>