Do not double-decode username and password in SQLAlchemy URL#616
Open
arpitjain099 wants to merge 1 commit into
Open
Do not double-decode username and password in SQLAlchemy URL#616arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
SQLAlchemy's make_url already percent-decodes the userinfo, so passing url.username and url.password through unquote_plus again corrupted any literal '+' into a space, breaking authentication for passwords that contain a plus sign. The form-encoding '+' means space convention only applies to the query string, not to the userinfo component, so the existing unquote_plus calls for query parameters are left unchanged. Fixes trinodb#611 Signed-off-by: arpitjain099 <arpitjain099@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When connecting through SQLAlchemy, a password that contains a literal
+was being corrupted into a space, which then failed authentication with a 401. The cause is a double decode: SQLAlchemy'smake_url()already percent-decodes the userinfo, andcreate_connect_argsthen ranurl.usernameandurl.passwordthroughunquote_plusa second time.unquote_plusfollows the form-encoding rule where+means space, but that rule only applies to the query string, not to the userinfo, sopass+wordbecamepass word.The fix uses
url.usernameandurl.passworddirectly since SQLAlchemy has already decoded them. This mirrors what SQLAlchemy itself did for the same problem (see sqlalchemy/sqlalchemy#2873). Theunquote_pluscalls on the query parameters are intentionally left as-is, because there+really does mean space and the values are not form-decoded by SQLAlchemy.I added a regression test with
+in both the username and password, and the fulltests/unit/sqlalchemy/test_dialect.pysuite passes (19 tests). Closes #611.Non-technical explanation
Passwords with a plus sign in them now work when you connect using a SQLAlchemy URL, instead of failing to log in.
Release notes
( ) This is not user-visible or docs only and no release notes are required.
(x) Release notes are required, with the following suggested text: