Encode any ":", "@" or "/" within the user and password field in proxy settings.

Bug #130289 reported by tube on 2007-08-04
Affects Status Importance Assigned to Milestone
GNOME Terminal
Fix Released
apt (Debian)
Fix Released
apt (Ubuntu)
gnome-terminal (Ubuntu)
synaptic (Ubuntu)
Jean-Baptiste Lallement

Bug Description

Binary package hint: synaptic

I'm not very familiar with the long term proxy strategy in ubuntu, so it is kind of obvious for me that an "@" sign in the password will not work for the variable:

maybe you need quotes in order to parse that

It is not clear to me though when I type the password into a password field as I had to do it for the synaptic proxy settings.
I was using such a password ever since. No problem for firefox or other browsers.

In this case synaptic reveals even parts of my password in the error message.

I changed my password, but I guess this needs to be changed. Just wanted to let you know. Hope it helps.

Michael Vogt (mvo) on 2007-10-04
Changed in synaptic:
importance: Undecided → High
status: New → Confirmed
Mark O'Donohue (mark-odonohue) wrote :

This also happens with entering using authentication via the gui proxy settings.

My understanding was that in apt.conf it should work if you URL encode the @ sign ie:


But entering this via the gui or by directly adding it to apt.conf did not work.

Using the gui with the above it would complain that "could not find host ssword@server" so somewhere there someone was URL decodign the string before splitting on the @ sign as well.

This was in a Ubuntu 7.10 installation

Jean-Baptiste Lallement (jibel) wrote :

According to the specs (http://www.w3.org/Addressing/rfc1738.txt) the scheme http://<user>:<password>@<host>:<port>/ is not valid.
The specs also mentioned that:
"The user name (and password), if present, are followed by a
   commercial at-sign "@". Within the user and password field, any ":",
   "@", or "/" must be encoded.

So there is a synaptic issue not encoding username and password and an apt issue accepting an invalid scheme but this behavior is documented in the apt.conf man page.
Setting to triaged.

Changed in synaptic (Ubuntu):
status: Confirmed → Triaged
summary: - synaptic proxy password must not contain "@" sign
+ Encode any ":", "@" or "/" within the user and password field in proxy
+ settings.
tags: added: proxy
Changed in apt (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in gnome-control-center (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in apt (Ubuntu):
assignee: nobody → Jean-Baptiste Lallement (jibel)
status: Triaged → In Progress
Michael Vogt (mvo) wrote :

This is a bit of a stack in the dark, but could you please try:

=== modified file 'apt-pkg/acquire-worker.cc'
--- apt-pkg/acquire-worker.cc 2009-07-21 14:05:52 +0000
+++ apt-pkg/acquire-worker.cc 2010-03-25 14:05:09 +0000
@@ -464,7 +464,7 @@
       if (Top->Value.empty() == false)
- string Line = "Config-Item: " + QuoteString(Top->FullTag(),"=\"\n") + "=";
+ string Line = "Config-Item: " + QuoteString(Top->FullTag(),"%=\"\n") + "=";
   Line += QuoteString(Top->Value,"\n") + '\n';
   Message += Line;

and see if that helps?

Michael Vogt (mvo) wrote :

I just played with this in python-apt:

>>> import apt_pkg
>>> s="http://user2:p%40s%2Fs%3Aword@localhost:3128"
>>> apt_pkg.DeQuoteString(apt_pkg.QuoteString(s, '="\n'))
>>> apt_pkg.DeQuoteString(apt_pkg.QuoteString(s, '="\n%'))
>>> apt_pkg.DeQuoteString(apt_pkg.QuoteString(s, '="\n%')) == s

And I think it may fix the problem.

Jean-Baptiste Lallement (jibel) wrote :

debug log.

The proxy string http://user2:p%40ssword@localhost:3128
And you'll see the host part interpreted by apt is "ssword@localhost:3128"
The parser in strutl stops at the 1rst @ (which is correct)
The password shouldn't be unquoted before being parsed.

Jean-Baptiste Lallement (jibel) wrote :

The problem is not the encoding of messages between the worker and the method but in the method's configuration handler AcqMethod::Configuration

This method takes the message string, unquote all the items (hence the URI), and set the associated configuration item.
The De/QuoteString method is not bijective if the string already contains one of the unquoted character.
http://user2:p%40ssword@localhost:3128 is unquoted to http://user2:p@ssword@localhost:3128
the resulting string is an invalid URI and cannot be parsed and the quoting cannot be reversed because
http://user2:p@ssword@localhost:3128 will give http://user2:p%40ssword%40localhost:3128

I made a quick fix to the parser for the '@' but if the password contains an '/' it becomes quite tricky and it's more of a hack than a fix. Furthermore the problem is not the uri parser here.

We cannot escape the URI in HttpMethod::Configuration for the reason above.

At first sight, a solution could be to add an exclusion list of items that should not be dequoted in the configuration handler and processed specifically in each method.

I'll try to post a prototype.

Jean-Baptiste Lallement (jibel) wrote :

Apt fix committed to my branch r1755

For information the latest about URI syntax is RFC is 3986

Changed in apt (Ubuntu):
status: In Progress → Triaged
Changed in synaptic (Ubuntu):
assignee: nobody → Jean-Baptiste Lallement (jibel)
Jean-Baptiste Lallement (jibel) wrote :

reaffecting to gnome-terminal since it's it that set http_proxy.

affects: gnome-control-center (Ubuntu) → gnome-terminal (Ubuntu)
Jean-Baptiste Lallement (jibel) wrote :

here is the patch for the gnome-terminal.

Changed in gnome-terminal (Ubuntu):
assignee: nobody → Jean-Baptiste Lallement (jibel)

Note to sponsors, this is a group a 3 patches. the synaptic and gnome-terminal patches make sense only if the apt patch is applied.


the following updated patch has been applied upstream to gnome-terminal

Thanks to Behdad Esfahbod

Changed in gnome-terminal (Ubuntu):
status: Triaged → Fix Committed
assignee: Jean-Baptiste Lallement (jibel) → nobody
Changed in apt (Ubuntu):
assignee: Jean-Baptiste Lallement (jibel) → nobody
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt -

apt ( lucid; urgency=low

  [ David Kalnischkies ]
  * cmdline/apt-get.cc:
    - try version match in FindSrc first exact than fuzzy (LP: #551178)

  [ Jean-Baptiste Lallement ]
  * apt-pkg/contrib/strutl.cc:
    - always escape '%' (LP: #130289) (Closes: #500560)
    - unescape '%' sequence only if followed by 2 hex digit
    - username/password are urlencoded in proxy string (RFC 3986)
 -- Michael Vogt <email address hidden> Wed, 31 Mar 2010 21:59:42 +0200

Changed in apt (Ubuntu):
status: Triaged → Fix Released
Changed in apt (Debian):
status: Unknown → New
Michael Vogt (mvo) wrote :

synaptic (0.63.1ubuntu3) lucid; urgency=low

  [ Jean-Baptiste Lallement ]
  * * gtk/rgpreferenceswindow.cc: escape '@/:%' in proxy auth string (LP:

Changed in synaptic (Ubuntu):
status: Triaged → Fix Released
Changed in apt (Debian):
status: New → Fix Committed
Changed in apt (Debian):
status: Fix Committed → Fix Released
Changed in gnome-terminal:
status: Unknown → Fix Released
Adam Guthrie (therigu) on 2010-06-22
tags: added: patch-accepted-upstream
Changed in gnome-terminal:
importance: Unknown → Medium
Jeremy Bicha (jbicha) on 2011-03-15
Changed in gnome-terminal (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.