Needs support for quoted passwords

[reinux]

Network.NetRc is not one of the many (most?) programs that accept quotes in the password column so that the passwords can have spaces in them.

Unfortunately, some services issue passphrases that contain spaces (and passphrases are becoming a more common way to generate passwords, as they are easier to remember), and it isn't up to the user to change them.

More info: https://stackoverflow.com/questions/12674888/can-netrc-handle-passphrases-with-spaces

[reinux]

In order to minimize the likelihood of breakage, I wonder if it might make sense to treat a column as having been quoted if the quote only appears at the beginning and end of the column... It's not exactly the correct way to parse quotes, but there probably isn't a better option.

[andreasabel]

Currently whitespace is explicitly forbidden in passwords and other fields:

netrc/src/Network/NetRc.hs

Lines 14 to 21 in bee52c7

	-- > ENTRY := 'machine' WS+ <value> WS+ ((account|username|password) WS+ <value>)*
	-- > | 'default' WS+ (('account'|'username'|'password') WS+ <value>)*
	-- > | 'macdef' <value> LF (<line> LF)* LF
	-- >
	-- > WS := (LF|SPC|TAB)
	-- >
	-- > <line> := !LF+
	-- > <value> := !WS+

netrc/src/Network/NetRc.hs

Lines 66 to 72 in bee52c7

	-- | @machine@ and @default@ entries describe remote accounts
	--
	-- __Invariant__: fields must not contain any @TAB@s, @SPACE@, or @LF@s.
	data NetRcHost = NetRcHost
	{ nrhName :: !ByteString -- ^ Remote machine name (@""@ for @default@-entries)
	, nrhLogin :: !ByteString -- ^ @login@ property (@""@ if missing)
	, nrhPassword :: !ByteString -- ^ @password@ property (@""@ if missing)

[reinux]

From what I understand, there's not much of an official standard. I wonder if the robustness principle might apply in this case?

[andreasabel]

If you allow passwords in quotes, what happens to passwords that contained quotes?
E.g., in password "foo" the password is currently the 5-character "foo", not the 3-character foo.

[reinux]

From a quick glance at what other programs do, wget and curl share one escaping style, fetchmail has its own, curl pre-7.84.0 and git don't accept spaces, and perl's netrc library, lftp, and ftp accept spaces.

Unfortunately something would be lost no matter what, as there's no specification as to which is correct.

More broadly, modern websites and services are agnostic to spaces (of course, any website that is actually checking the content of a password server-side is very sus), and more and more are issuing passphrases as opposed to passwords, as they're easier to remember.

I think the chances that a password begins and ends with a quote are fairly slim, so the risk of breaking something is probably not too severe, though I acknowledge that it could lead to unexpected downtime of a critical service.

[reinux]

Actually, I just had a weird idea: What if, if the first line of the starts with a comment like #allow spaces, it allows spaces within quotes?

That way, at least, programs that don't already specify a way of allowing spaces, e.g. git and haskell-hvr, have a chance of being consistent.

[andreasabel]

Thanks for linking the article https://daniel.haxx.se/blog/2022/05/31/netrc-pains/ !

What if, if the first line of the starts with a comment like #allow spaces, it allows spaces within quotes?

Worth considering, however, we would create our own standard here, which I am hesitant about.
In the end, we are just a dwarf, and we should follow one of the giants, and not try to take the lead.

It seems more plausible to follow the decision that curl took, to switch to (double) quoted passwords with backslash-escaped double quotes inside the password.

We are in the lucky situation that we do not seem to have too many users, according to https://packdeps.haskellers.com/reverse/netrc .
So we can ask our users for their opinion:

• @shlevy for https://hackage.haskell.org/package/hail
• @domenkozar for https://hackage.haskell.org/package/cachix

[shlevy]

Following curl makes sense to me.

[andreasabel]

@reinux: Do you want to PR?

Probably the desired logic looks like this: if the password begins and ends with a doublequote, we drop those and unescape backslashed double quotes and backslashes inside the password; otherwise, we use the password literally.

[reinux]

Aight, I'll give it a shot. I spent most of my adult life in F# and haven't touched Haskell much since college (worked a bit with FParsec though), so this'll be a good small project to get reacquainted. Looking forward to feedback when it's ready!