Issue #12921 has been updated by wolfer (Sergey Fedosov).


kosaki (Motohiro KOSAKI) wrote:
> Linux kernel expert is here.

Hi. What do your think about this:

shyouhei (Shyouhei Urabe) wrote:
> ... environment variables are in fact insecure.  It is a very bad idea to store passwords there...



----------------------------------------
Bug #12921: Retrieve user and password for proxy from env
https://bugs.ruby-lang.org/issues/12921#change-64386

* Author: wolfer (Sergey Fedosov)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN
----------------------------------------
If ENV['http_proxy'] have some like 'http://user:password / 192.168.1.1:3128' Net::HTTP will send request throught proxy without user and pass and proxy response with "407 Proxy authentication required"

I'm read discussion in #10652, but reason for reverting seems to me a little strange.

Mr. Tanaka wrote that other utils allow storing password in configuration file and "I think the missing piece is a library for password store for storing passwords in a file.".
But ruby has no similar file. Set http_proxy env is standard way for define proxy configuration, with credential too. Most popular utils, application and language allow that variant. Ruby is said to follow the principle of least astonishment (POLA), isn't ? Why not make the  behavior of a ruby least surprising?

Otherwise the programmer has to create custom server-specific configuration logic(in most cases the trash). Any gems do not support setup proxy setting and therefore it is necessary to monkey-patching... It's look like dirty hack rather than following standarts.

P.S. sorry for my english. GT rules


---Files--------------------------------
proxy_credential_from_env.patch (617 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>