Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go/internal/auth: the .netrc parser doesn't understand passphrases with spaces #39403

Closed
ainar-g opened this issue Jun 4, 2020 · 11 comments
Labels
FrozenDueToAge GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Security WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone

Comments

@ainar-g
Copy link
Contributor

ainar-g commented Jun 4, 2020

What version of Go are you using (go version)?

$ go version
go version go1.14.3 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="off"
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/ainar/.cache/go-build"
GOENV="/home/ainar/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/tmp/g"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/ainar/go/go1.14"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/ainar/go/go1.14/pkg/tool/linux_amd64"
GCCGO="/usr/bin/gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build748023900=/tmp/go-build -gno-record-gcc-switches"

What did you do?

With this in my .netrc:

machine my.git.host login ainar-g password "very long and secure passphrase"

I did:

$ go get my.git.host/go-package

What did you expect to see?

Package in my GOPATH.

What did you see instead?

401 from the server. I assume that it's because the .netrc parser doesn't understand quoted passphrases with spaces. IIRC, they're not standard, but are a common extension. Current code just uses strings.Fields.

@dmitshur dmitshur added GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Security labels Jun 4, 2020
@dmitshur dmitshur added this to the Backlog milestone Jun 4, 2020
@dmitshur
Copy link
Contributor

dmitshur commented Jun 4, 2020

@dmitshur
Copy link
Contributor

dmitshur commented Jun 4, 2020

IIRC, they're not standard, but are a common extension.

How would it affect users that happen to have a double quote character in their password?

@ainar-g
Copy link
Contributor Author

ainar-g commented Jun 4, 2020

Good question. According to this StackOverflow answer the two widely-used .netrc parsers that allow spaces are GNU ftp and the Net::Netrc module in Perl. The C source code of the first one suggests that it simply scans until the next double quote. My Perl and PCRE are a bit rusty, but the regexp in the Perl source code seems to suggest a similar behaviour. So, if the user has a double-quote inside the password, they're probably fine, but if the password starts with a double-quote, there is no way to express that in .netrc.

@bcmills
Copy link
Contributor

bcmills commented Jun 4, 2020

The Go .netrc parser is based on the description in https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html, which says:

[Tokens] may be separated by spaces, tabs, or new-lines:

That implies that, for example,

machine a.example.com password "hunter2 machine b.example.com password opensesame"

should be parsed as

machine a.example.com
password "hunter2
machine b.example.com
password opensesame"

You could argue that real passwords should not contain quote characters, but that's not particularly different from arguing that real passwords should not contain spaces...

@bcmills bcmills modified the milestones: Backlog, Unplanned Jun 4, 2020
@bcmills
Copy link
Contributor

bcmills commented Jun 4, 2020

So the question is: is there an authoritative (or semi-authoritative) reference for quote-escaping in .netrc files, and/or for why passwords should prefer  over "?

@bcmills bcmills added the WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. label Jun 4, 2020
@gopherbot
Copy link

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)

@ainar-g
Copy link
Contributor Author

ainar-g commented Jul 6, 2020

@bcmills Who was supposed to add more info? I apologise if it was me, because as far as I know, there aren't any more authoritative references than the current implementations I mentioned.

@jayconrod
Copy link
Contributor

(Answering for @bcmills since he's out of office today)

My understanding is that The .netrc file is the best source on this format. If there's a more authoritative source though, please let us know.

I think we should stick to the spec, such as at is. If every tool has its own interpretation of this file, that's not a good situation for anyone.

@ainar-g
Copy link
Contributor Author

ainar-g commented Jul 6, 2020

@jayconrod The thing about that file is that it uses two words that may or may not mean the same thing: “name” and “string”. This “string” may be just another name for a non-space string of characters or it may mean that "a b c" is a “string” and a “token” in and of itself. The source code of GNU ftp, which I linked above, seems to think that it's the latter and not the former.

I don't think there is a good solution here, to be honest. I assume, that passphrases with spaces are more common than those with double quotes, but there are already implementations that don't allow spaces.

@jayconrod
Copy link
Contributor

The following tokens are recognized; they may be separated by spaces, tabs, or new-lines:
...
‘login name
...
‘password string
Supply a password. If this token is present, the auto-login process will supply the specified string if the remote server requires a password as part of the login process. Note that if this token is present in the .netrc file for any user other than anonymous, ftp will abort the auto-login process if the .netrc is readable by anyone besides the user.

This doesn't seem ambiguous to me: name and string are just descriptive names. Tokens may be separated by spaces, tabs, or newlines; there's no other restriction on characters within tokens; nothing says quotes should have special meaning.

Is GNU ftp implementing something else? I don't think their source code alone is convincing.

@golang golang locked and limited conversation to collaborators Mar 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Security WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Development

No branches or pull requests

6 participants
@jayconrod @dmitshur @ainar-g @bcmills @gopherbot and others