Right split the url in the opener opener to fix the case when the password contains an @

[GoogleCodeExporter]

Hi,

I’ve noticed when using the fs.opener that when passing in a fs_url with the 
username and password it fails to properly split the credentials from the url 
if the password contains an @ symbol. This would be solved simply by doing an 
rsplit() instead of a split() on the fs_url when parsing the url to extract the 
credentials. I believe the hostname or path shouldn’t contain @ symbols and 
the most likely place to find these would be in the password.

An alternative solution would be to use urllib.quote_plus()/unquote_plus() to 
decode the given urls and require people using special characters to pass in 
url-encoded fs_urls.

All the best,
Inti


Index: fs/opener.py
===================================================================
--- fs/opener.py               (revision )
+++ fs/opener.py             (revision )
@@ -94,7 +94,7 @@
     username = None
     password = None    
     if '@' in url:
-        credentials, url = url.split('@', 1)
+        credentials, url = url.rsplit('@', 1)
         if ':' in credentials:
             username, password = credentials.split(':', 1)
         else:

Original issue reported on code.google.com by [email protected] on 30 Sep 2013 at 12:57

Attachments:

• fs_opener_right_split_url.patch

[GoogleCodeExporter]

Would this also cause problems if there was a : in the password?

IMHO the most logical way to solve this would be by using the same rules as 
defined in http://tools.ietf.org/html/rfc3986#section-3.2

Original comment by [email protected] on 30 Sep 2013 at 8:50

[GoogleCodeExporter]

I don't think it would cause an issue if there was a : in the password as by 
the time we get to that point we have a string like 'username:password' so 
doing a left split here makes sense. This could break if the username contained 
a : but I imagine that would be much less likely.

I agree the right thing to do would be to follow the rfc URI syntax rules which 
say that to use any of the reserved characters you have to use url encoded 
versions of them. See my second paragraph in my first message about using 
urllib.unquote_plus()

Original comment by [email protected] on 1 Oct 2013 at 7:32

[GoogleCodeExporter]

I concur, the 'right' thing to do is probably the url quoting. Although it's a 
bit unfortunate given that openers are used mostly on the command line.

To be honest, the opener parser could use a revisit. I'm sure we could 
formalize the syntax a bit. And I never did get round to writing tests!

Original comment by willmcgugan on 1 Oct 2013 at 8:03

• Changed state: Accepted