Skip to content

x/net/proxy: SOCKS5 proxy should allow empty password #57285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
iseki0 opened this issue Dec 13, 2022 · 7 comments
Closed

x/net/proxy: SOCKS5 proxy should allow empty password #57285

iseki0 opened this issue Dec 13, 2022 · 7 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@iseki0
Copy link

iseki0 commented Dec 13, 2022

What version of Go are you using (go version)?

$ go version
go version go1.19 windows/amd64

Does this issue reproduce with the latest release?

Yes, it reproduced

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\iseki\AppData\Local\go-build
set GOENV=C:\Users\iseki\AppData\Roaming\go\env
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\iseki\go\pkg\mod
set GONOPROXY=git.murphy-int.com
set GONOSUMDB=git.murphy-int.com
set GOOS=windows
set GOPATH=C:\Users\iseki\go
set GOPRIVATE=git.murphy-int.com
set GOPROXY=https://goproxy.cn,direct
set GOROOT=C:\Program Files\Go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.19
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=0
set GOMOD=NUL
set GOWORK=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=C:\Users\iseki\AppData\Local\Temp\go-build1840084022=/tmp/go-build -gno-record-gcc-switches

What did you do?

I use an empty-password socks5 URL, like: socks5://username:@127.0.0.1. The connection closed after server negotiation.

What did you expect to see?

The connection should be established.

What did you see instead?

I found the problem code might be here:

go/src/net/http/socks_bundle.go

Line 448 in b16e94d

if len(up.Username) == 0 || len(up.Username) > 255 || len(up.Password) == 0 || len(up.Password) > 255 {

After read the RFC, I found there is no limitation to empty password string. And both curl and git is ok in my test.
So I think it's a bug and should be fixed.

If it's ok, I will create a PR for that.
@seankhliao seankhliao changed the title http: SOCKS5 proxy should allow empty password x/net/proxy: SOCKS5 proxy should allow empty password Dec 13, 2022
@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 13, 2022
@seankhliao
Copy link
Member

cc @neild

@iseki0 iseki0 mentioned this issue Dec 13, 2022
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/457155 mentions this issue: net/http: SOCKS5 proxy with empty password should be allowed

@iseki0 iseki0 mentioned this issue Dec 13, 2022
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/457355 mentions this issue: socks: SOCKS5 proxy with empty password should be allowed

@aojea
Copy link
Contributor

aojea commented Dec 14, 2022

From the RFC https://www.rfc-editor.org/rfc/rfc1929 I interpret that username and password are always >0 <=255

@iseki0
Copy link
Author

iseki0 commented Dec 14, 2022

It's only noted at graph, I missed it. But it's supported widely. 🥹

@seankhliao seankhliao added this to the Backlog milestone Jan 20, 2023
@geovex
Copy link

geovex commented Mar 26, 2023

Also we can allow empty username.

@iseki0
Copy link
Author

iseki0 commented Apr 1, 2023

@geovex

Also we can allow empty username.

In my opinion, it is. But I'm afraid it's too aggressively

@qiangweihewu qiangweihewu mentioned this issue May 12, 2023
Closed
@golang golang locked and limited conversation to collaborators Apr 6, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
5 participants
@geovex @aojea @gopherbot @seankhliao @iseki0