Skip to content

Commit 4e650ac

Browse files
fix(proxy): send Proxy-Authorization when username has no password
httpProxyDialer only emitted the Basic credential header when the url.Userinfo had a password component set. That dropped auth for two legitimate cases allowed by RFC 7617: a proxy URL like http://user@proxy/ (no colon, password unset), and an explicit empty password http://user:@proxy/. Some corporate proxies are configured exactly this way. Send auth whenever a username is present, defaulting password to the empty string if url.Userinfo didn't set one. Upstream PR #977. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent f57af74 commit 4e650ac

1 file changed

Lines changed: 5 additions & 4 deletions

File tree

proxy.go

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -58,11 +58,12 @@ func (hpd *httpProxyDialer) DialContext(ctx context.Context, network string, add
5858

5959
connectHeader := make(http.Header)
6060
if user := hpd.proxyURL.User; user != nil {
61+
// RFC 7617 permits an empty password. Send Basic auth whenever a
62+
// username is present, even if no password was specified.
6163
proxyUser := user.Username()
62-
if proxyPassword, passwordSet := user.Password(); passwordSet {
63-
credential := base64.StdEncoding.EncodeToString([]byte(proxyUser + ":" + proxyPassword))
64-
connectHeader.Set("Proxy-Authorization", "Basic "+credential)
65-
}
64+
proxyPassword, _ := user.Password()
65+
credential := base64.StdEncoding.EncodeToString([]byte(proxyUser + ":" + proxyPassword))
66+
connectHeader.Set("Proxy-Authorization", "Basic "+credential)
6667
}
6768
connectReq := &http.Request{
6869
Method: http.MethodConnect,

0 commit comments

Comments
 (0)