Bug#623443: Please do not use $http_proxy if its protocol part is nonsense
Package: apt
Version: 0.8.13.1
Severity: minor
Hello,
thank you for your work on apt!
I stumbled on a little annoyance with proxy settings. Given this:
# export http_proxy=enrico:password@proxy-cache.localnet:3128
# aptitude
I see that aptitude tries to resolve "password@proxy-cache.localnet",
which leaks my password in cleartext through the local network. I reckon
this is because "enrico:" is taken as the protocol part.
I accept this is an error in setting up the http_proxy variable; on the
other hand, many programs work without the "http://"; part, making the
misconfiguration hard to notice, and the consequences of the error are
quite dire and (in theory) easily prevented.
Ciao,
Enrico
-- Package-specific info:
-- (no /etc/apt/preferences present) --
-- (/etc/apt/sources.list present, but not submitted) --
-- System Information:
Debian Release: wheezy/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt depends on:
ii debian-archive-keyring 2010.08.28 GnuPG archive keys of the Debian a
ii gnupg 1.4.11-3 GNU privacy guard - a free PGP rep
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.6.0-2 GCC support library
ii libstdc++6 4.6.0-2 The GNU Standard C++ Library v3
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
apt recommends no packages.
Versions of packages apt suggests:
pn apt-doc <none> (no description available)
ii aptitude 0.6.3-4 terminal-based package manager (te
ii bzip2 1.0.5-6 high-quality block-sorting file co
ii dpkg-dev 1.16.0.2 Debian package development tools
ii lzma 4.43-14 Compression method of 7z format in
ii python-apt 0.7.100.3+b1 Python interface to libapt-pkg
ii synaptic 0.75.1 Graphical package manager
-- no debconf information
Reply to: