I think you are right. Can you send me a patch? Or I ca do it but not
today. ;-)
On Sep 29, 11:01 am, Josh J <jjaq...@seccuris.com> wrote:
> Hey all,
>
> I've found an issue with SQLDB when developing my application. The
> URI handling does not allow special characters in database passwords.
> Unfortunately, I must connect to the database from my application
> using a password with special characters.
> eg. Consider the URI for a database with has an @ in the password:
> postgres://username:p...@ssword@localhost:5432/database
>
> That is the simplest way to break the current URI handling. Consider
> a more complex password like �...@b:3/c”, which is a valid postgres
> password and probably valid in other DBMS as well. It would build a
> URI that looks something like:
> postgres://username:a...@b:3/c...@host:port/database
>
> The regular expression CAN be carefully modified to allow all of
> these characters in the password, but what about if you had special
> characters in your username too? Imagine if you had a (valid but
> contrived) postgres username like “u...@host/group:subgroup” with the
> same �...@b:3/c” password as before. Then your URI would look something
> like:
> postgres://u...@host/group:subgroup:a...@b:3/c...@host:port/database
>
> I think this exposes a problem in general with parsing username and
> passwords from a URI, in that if you have these special characters you
> can no longer parse them with a simple regular expression. If you look
> at Section 3.1 of RFC 1738 - Uniform Resource Locators they already
> thought of this, and they say that within the user and password field
> you should encode any ":", "@", or "/".
>
> I have tried modifying SQLDB to pass the username and password
> through the urllib.unquote function as follows:
> user = urllib.unquote(m.group("user"))
> passwd = urllib.unquote(m.group("passwd"))
>
> Then when opening the database do something like this:
> SQLDB("postgres://%(user)s:%(pass)s...@localhost:5432/database" % \
> ({'user': urllib.quote("test"),
> 'pass':urllib.quote("p...@ssword"})))
>
> This works fine for me. And, passwords without special characters
> will be unmodified by urllib.unquote(). In this way backwards
> compatibility is mostly intact. However consider a user who currently
> has a password with a % character. Even though it works fine now, if
> you were to pass the password through urllib.unquote then it would
> assume the % was an escape sequence and produce unexpected results for
> them.
>
> What do you think?
>
> Regards,
>
> Josh Jaques
> Seccuris Inc.
