mirror of https://github.com/pypa/pip
Fix an edge case where Link.filename can leak auth information.
This commit is contained in:
parent
b6077c5227
commit
0ed518f0dc
|
@ -4,7 +4,8 @@ import re
|
|||
from pip._vendor.six.moves.urllib import parse as urllib_parse
|
||||
|
||||
from pip._internal.utils.misc import (
|
||||
WHEEL_EXTENSION, path_to_url, redact_password_from_url, splitext,
|
||||
WHEEL_EXTENSION, path_to_url, redact_password_from_url,
|
||||
split_auth_from_netloc, splitext,
|
||||
)
|
||||
from pip._internal.utils.models import KeyBasedCompareMixin
|
||||
from pip._internal.utils.typing import MYPY_CHECK_RUNNING
|
||||
|
@ -68,7 +69,13 @@ class Link(KeyBasedCompareMixin):
|
|||
def filename(self):
|
||||
# type: () -> str
|
||||
path = self.path.rstrip('/')
|
||||
name = posixpath.basename(path) or self.netloc
|
||||
name = posixpath.basename(path)
|
||||
if not name:
|
||||
# Make sure we don't leak auth information if the netloc
|
||||
# includes a username and password.
|
||||
netloc, user_pass = split_auth_from_netloc(self.netloc)
|
||||
return netloc
|
||||
|
||||
name = urllib_parse.unquote(name)
|
||||
assert name, ('URL %r produced no filename' % self._url)
|
||||
return name
|
||||
|
@ -81,6 +88,9 @@ class Link(KeyBasedCompareMixin):
|
|||
@property
|
||||
def netloc(self):
|
||||
# type: () -> str
|
||||
"""
|
||||
This can contain auth information.
|
||||
"""
|
||||
return self._parsed_url[1]
|
||||
|
||||
@property
|
||||
|
|
|
@ -5,6 +5,16 @@ from pip._internal.models.link import Link
|
|||
|
||||
class TestLink:
|
||||
|
||||
@pytest.mark.parametrize('url, expected', [
|
||||
(
|
||||
'https://user:password@example.com/path/page.html',
|
||||
'<Link https://user:****@example.com/path/page.html>',
|
||||
),
|
||||
])
|
||||
def test_repr(self, url, expected):
|
||||
link = Link(url)
|
||||
assert repr(link) == expected
|
||||
|
||||
@pytest.mark.parametrize('url, expected', [
|
||||
('http://yo/wheel.whl', 'wheel.whl'),
|
||||
('http://yo/wheel', 'wheel'),
|
||||
|
@ -20,6 +30,11 @@ class TestLink:
|
|||
('https://example.com/path//', 'path'),
|
||||
# Test a url with no filename.
|
||||
('https://example.com/', 'example.com'),
|
||||
# Test a url with no filename and with auth information.
|
||||
(
|
||||
'https://user:password@example.com/',
|
||||
'example.com',
|
||||
),
|
||||
])
|
||||
def test_filename(self, url, expected):
|
||||
link = Link(url)
|
||||
|
|
Loading…
Reference in New Issue