New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SFTP Stream Wrapper doesn't handle url with special characters #1779
Comments
I guess my most immediate thoughts are: what does libssh2 do? If you have a username or password with % in it... do you need to pass % to libssh2 or do you need to pass %25 to it? Even if libssh2 doesn't, itself, urldecode special characters, I suppose it's also fair to ask whether or not it ought to be. I got stuff to do today but I'll try to take a look at this this evening or in the next few days. Thanks! |
So I tested this out by creating an account I guess this would be a problem if your username had a Here's what I tried: parse_url("ssh://username@domain.tld:password@website.com/path/to"); // works
parse_url("ssh://username@domain.tld:pass@word@website.com/path/to"); // works
parse_url("ssh://user:name:password@website.com/path/to"); // doesn't work That said, the last example - the only one that doesn't work - shouldn't work, anyway, per RFC7617:
So the behavior seems to be correct? What is the special character you're having an issue with and is the special character in the username or password? |
Thanks for taking a look! Don't feel too pressured to look into this, as the workaround works just fine for my use case. Also I haven't dug too deep into the specifications so my understanding may be incorrect. For the specific time I ran into this, my password has a slash in it. So for this example if I set my password to "pass/word" it would end up being like parse_url('sftp://user:pass/word@webiste.com/path/to'); // returns false
parse_url('sftp://user:pass%2Fword@website.com/path/to'); // ['password' => 'pass%2Fword',...] My username contains just letters, numbers, and underscores in the ascii, so there was nothing in my username specifically that would mess with |
https://www.php.net/ssh2 works just fine with |
Ideally, phpseclib would work in the same way https://www.php.net/ssh2 works. This particular component was designed to be drop-in compatible with https://www.php.net/ssh2's stream functionality. Making it so that everything is urldecode'd wouldn't really be consistent with that as that's not what https://www.php.net/ssh2 does. Here's what ssh2 does:
That's also the only place where I think for the time being imma just let this issue remain open. Might not be a bad idea to add a note about this issue in the documentation... |
https://github.com/phpseclib/phpseclib/blob/3.0.14/phpseclib/Net/SFTP/Stream.php#L158
parse_url
does not decode the values extracted from the url.This can lead to things like
$this->sftp->login($user, $pass)
failing to login because it has the wrong username/password. Or$this->sftp->filesize($path);
failing because the $path doesn't match what's actually on the server.This problem can be avoided by using the SFTP object directly.
Alternatively, setting the username and password via the stream context can fix the issue with special characters in the credentials, but I didn't see a workaround if you have a file path with characters that could be url encoded.
The text was updated successfully, but these errors were encountered: