Bug#623443: Please do not use $http_proxy if its protocol part is nonsense

Enrico Zini Wed, 20 Apr 2011 02:45:52 -0700

Package: apt
Version: 0.8.13.1
Severity: minor

Hello,


thank you for your work on apt!

I stumbled on a little annoyance with proxy settings. Given this:
  
  # export http_proxy=enrico:password@proxy-cache.localnet:3128
  # aptitude

I see that aptitude tries to resolve "password@proxy-cache.localnet",
which leaks my password in cleartext through the local network. I reckon
this is because "enrico:" is taken as the protocol part.

I accept this is an error in setting up the http_proxy variable; on the
other hand, many programs work without the "http://"; part, making the
misconfiguration hard to notice, and the consequences of the error are
quite dire and (in theory) easily prevented.


Ciao,

Enrico

-- Package-specific info:

-- (no /etc/apt/preferences present) --


-- (/etc/apt/sources.list present, but not submitted) --


-- System Information:
Debian Release: wheezy/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  debian-archive-keyring  2010.08.28       GnuPG archive keys of the Debian a
ii  gnupg                   1.4.11-3         GNU privacy guard - a free PGP rep
ii  libc6                   2.11.2-11        Embedded GNU C Library: Shared lib
ii  libgcc1                 1:4.6.0-2        GCC support library
ii  libstdc++6              4.6.0-2          The GNU Standard C++ Library v3
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc                     <none>       (no description available)
ii  aptitude                    0.6.3-4      terminal-based package manager (te
ii  bzip2                       1.0.5-6      high-quality block-sorting file co
ii  dpkg-dev                    1.16.0.2     Debian package development tools
ii  lzma                        4.43-14      Compression method of 7z format in
ii  python-apt                  0.7.100.3+b1 Python interface to libapt-pkg
ii  synaptic                    0.75.1       Graphical package manager

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#623443: Please do not use $http_proxy if its protocol part is nonsense

Reply via email to