Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support credentials in configuration for private PyPI #4315

Closed
prokopst opened this issue Mar 4, 2017 · 5 comments
Closed

Support credentials in configuration for private PyPI #4315

prokopst opened this issue Mar 4, 2017 · 5 comments
Labels
auto-locked Outdated issues that have been locked by automation C: configuration Configuration management and loading type: enhancement Improvements to functionality type: security Has potential security implications

Comments

@prokopst
Copy link

prokopst commented Mar 4, 2017

Right now credentials for index-url in the configuration are stored in the url itself. I propose to somehow support credentials directly (or explicitly) in the configuration for private PyPIs because of following reasons:

  1. Right now credentials are leaked on multiple places. With this configuration:
[global]
index-url = https://thisis:test@pypi.python.org/simple
[search]
index = https://thisis:test@pypi.python.org/pypi

pip install --help shows:

Package Index Options (including deprecated options):
-i, --index-url Base URL of Python Package Index (default https://thisis:test@pypi.python.org/simple). This should point to a repository compliant with PEP 503 (the simple repository API) or a local directory laid out in the same format.

pip search --help shows:

Search Options:
-i, --index Base URL of Python Package Index (default https://thisis:test@pypi.python.org/pypi)

  1. With more exotic characters in the password it's not possible to use credentials in url at all:
[global]
index-url = https://username:pass/@word@pypi.python.org/simple
[search]
index = https://username:pass/@word@pypi.python.org/pypi
  1. AFAIK NuGet, mvn and npm support explicit auth since it's a good practice.
@zmt
Copy link

zmt commented May 12, 2017

Also see #4475.

@pradyunsg pradyunsg added type: enhancement Improvements to functionality C: configuration Configuration management and loading labels Jun 28, 2017
@greysteil greysteil mentioned this issue Apr 27, 2018
Closed
@clemensutschig clemensutschig mentioned this issue Aug 17, 2018
Closed
@chrahunt
Copy link
Member

chrahunt commented Oct 27, 2018
edited
Loading

The situation is slightly better if using ~/.netrc e.g.

machine pypi.python.org
login username
password pass/@word

However netrc does not support spaces in the username or password fields. This would be fixed by python/cpython#127.

@cjerdonek cjerdonek added the type: security Has potential security implications label Oct 27, 2018
@cjerdonek
Copy link
Member

cjerdonek commented Oct 27, 2018
edited
Loading

Independent of adding separate fields for the credentials, the passwords should not be leaking. PR #5773 (now merged) should help with addressing that issue: #5773

@cjerdonek
Copy link
Member

  1. With more exotic characters in the password it's not possible to use credentials in url at all:

Regarding (2), have you tried percent-encoding the username and password prior to including it in the URL (e.g. using Python 3's urllib.parse.quote()? On inspection, it looks like this should already be working in the currently released pip. If not, it would be good to know for sure. You can see that pip is unquoting these values in the download code here:

pip/src/pip/_internal/download.py

Lines 218 to 222 in 4ccea7e

userinfo = netloc.rsplit("@", 1)[0]
if ":" in userinfo:
user, pwd = userinfo.split(":", 1)
return (urllib_unquote(user), urllib_unquote(pwd))
return urllib_unquote(userinfo), None

@zooba zooba mentioned this issue Nov 6, 2018
Merged
@drunkwcodes drunkwcodes mentioned this issue Apr 3, 2019
Closed
2 tasks
@chrahunt
Copy link
Member

chrahunt commented Oct 8, 2019

The best proposal we have for an improvement in this area right now is #4263, so I will close this issue in favor of that one.

As mentioned by @cjerdonek, there should be no credentials leaking in log output or otherwise. If anyone is seeing this, please check for and file if issue if not already present.

@chrahunt chrahunt closed this as completed Oct 8, 2019
@lock lock bot added the auto-locked Outdated issues that have been locked by automation label Nov 7, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Nov 7, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-locked Outdated issues that have been locked by automation C: configuration Configuration management and loading type: enhancement Improvements to functionality type: security Has potential security implications
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zmt @cjerdonek @prokopst @chrahunt @pradyunsg