Project

General

Profile

Actions

Bug #18908

closed

Allow username and password to be extracted from the http_proxy variable on Windows

Added by ggrossetie (Guillaume GROSSETIE) over 2 years ago. Updated about 2 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:109190]

Description

According to #12921 only Linux, FreeBSD and Darwin (macOS) provides environment variables that are "multi-user" safe.

I'm not a Windows expert but as far as I know it's possible to configure user environment variables on Windows that are only accessible to the currently logged-in user: https://stackoverflow.com/a/4477669

Maybe this restriction should be lifted?

https://github.com/ruby/ruby/blob/8b98b9e274ea0a749044e044ee03ee1095aa75d0/lib/net/http.rb#L1225

Updated by jeremyevans0 (Jeremy Evans) over 2 years ago

I agree that we should remove the restriction. I submitted a pull request for that: https://github.com/ruby/net-http/pull/66

Actions #2

Updated by jeremyevans (Jeremy Evans) about 2 years ago

  • Status changed from Open to Closed

Applied in changeset git|cd77e71bbac9616a906f6823a8eba4922821e9ad.


[ruby/net-http] Remove ENVIRONMENT_VARIABLE_IS_MULTIUSER_SAFE

This list is out of date. At least OpenBSD since 2013 does not
allow one user to read the environment variables of a process
run by another user.

While we could try to keep the list updated, I think it's a bad
idea to not use the user/password from the environment, even if
another user on the system could read it. If http_proxy exists
in the environment, and other users can read it, it doesn't
make it more secure for Ruby to ignore it. You could argue that
it encourages poor security practices, but net/http should provide
mechanism, not policy.

Fixes [Bug #18908]

https://github.com/ruby/net-http/commit/1e4585153d

Actions

Also available in: Atom PDF

Like0
Like0Like0