[MPlayer-dev-eng] [PATCH 1/7] Unescape login/password before base64 encode

Clément Bœsch ubitux at gmail.com
Thu Nov 11 13:41:39 CET 2010


On Wed, Nov 10, 2010 at 09:20:08PM +0100, Reimar Döffinger wrote:
> On Wed, Nov 10, 2010 at 08:50:28PM +0100, Clément Bœsch wrote:
> > On Wed, Nov 10, 2010 at 08:35:46PM +0100, Reimar Döffinger wrote:
> > > I have the suspicion that this is wildly escaping and unescaping until
> > > it just happens to work without any real concept.
> > > Why does url_new not just apply escaping only to the path part?
> > 
> > As I said the first time, I started to make a patch to update the
> > escaping, but it much more complicated and risky; imagine you simply have
> > to parse: http_proxy://foo:bar@host:4321/http://xxx:yyy@proxy:1234. There
> > is some cases not easy to handle.
> 
> And what about unescaping in url_new when username/password is assigned?
> 

Yes, this seems actually to be a better solution.

> > > I don't think escaping is supposed to be applied to anything else.
> > 
> > We could also have users who try to make special character by urlencoding
> > themselves the password (special char not easy to escape with the shell,
> > or simply break url parsing in MPlayer because of ':' or '@' in it).
> > MPlayer urlencode won't change the string, but the http auth code will be
> > able to decode it.
> 
> Well, thinking more about it I have the suspicion that your patch will
> actually break e.g. %20 as password, it well end up using a single space
> as password (unless you pre-escape it of course)...
> Doing it in url_new would at least allow the other method of specifying
> it...
> I'd actually be quite curious what webbrowser do in such a case.

MPlayer is closer to curl than a browser in term of use, so I just
compared with it, and here is the behaviour:

  curl 'http://usr:%20@localhost:8000'     => 'dXNyOiA='     => 'usr: '
  curl 'http://locahost:8000' -u 'usr:%20' => 'dXNyOiUyMA==' => 'usr:%20'

So indeed, unescaping in url_new seems to be the right thing to do. Patch
attached.

If you want to test, note that the form mplayer $url -user $usr -passwd
$pass will not send the auth at first, it waits for the server to ask for
an Auth Required signal.

-- 
Clément B.
Not sent from a jesusPhone.


More information about the MPlayer-dev-eng mailing list