-
Notifications
You must be signed in to change notification settings - Fork 919
Description
Checklist
- I confirm there are no unresolved issues reported on the Chocolatey Status page.
- I have verified this is the correct repository for opening this issue.
- I have verified no other issues exist related to my problem.
- I have verified this is not an issue for a specific package.
- I have verified this issue is not security related.
- I confirm I am using official, and not unofficial, or modified, Chocolatey products.
What You Are Seeing?
French here, some of our users are using french characters ( éèàù§... ) in their passwords. And our nexus server serving chocolatey packages requires authentication.
Problem : those users enter their correct password but it fails to authenticate correctly.
This applies to both interactive prompt for user/password or user/password stored with source add --user --password
What is Expected?
Users having password with non ascii characters should still be able to use chocolatey with authenticating repositories
How Did You Get This To Happen?
Interactive :
- Add a source to chocolatey requiring authentication
- call : choco install toto
- choco connects to the source, realize authentication is needed and asks user for his login / password
- User types his correct login and correct password (which includes non ascii characters)
- Chocolatey still fails to authenticate with the authenticating source, asks for credential again
Non Interactive :
- Add a source to chocolatey requiring authentication with user/password information, and a password containing non ascii characters
- call : choco install toto
- choco connects to the source and uses the provided credential
- Chocolatey still fails to authenticate with the authenticating source and fails to install the package
System Details
- Operating System: 10.0.22631.0
- Windows PowerShell version:
Name Value
---- -----
PSVersion 5.1.22621.4391
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.4391
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
-
Chocolatey CLI Version: 2.4.1
-
Chocolatey Licensed Extension version:
Chocolatey v2.4.1
0 packages installed.
- Chocolatey License type: None
- Terminal/Emulator: Windows Terminal
Installed Packages
PS C:\work\chocolatey\sources\choco_vIDEMIA> choco list
Chocolatey v2.4.1
checksum 0.3.1
chocolatey 2.4.1
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
chocolatey-dotnetfx.extension 1.0.1
chocolatey-visualstudio.extension 1.11.1
chocolatey-windowsupdate.extension 1.0.5
curl 7.68.0
dependencies 1.11.1
DotNet3.5 3.5.20241212
dotnet-9.0-sdk 9.0.100
dotnet-9.0-sdk-1xx 9.0.100
dotnetfx 4.8.0.20220524
dotnet-sdk 9.0.100
doxygen.install 1.11.0
git 2.44.0
git.install 2.44.0
graphviz 12.0.0
idemia-choco-stat.hook 0.1.0
InkScape 1.3.2
InnoSetup 6.3.2
KB2919355 1.0.20160915
KB2919442 1.0.20160915
KB2999226 1.0.20181019
KB3033929 1.0.5
KB3035131 1.0.3
kdenlive 24.5.2
lsd 1.1.2
make 4.4.1
microsoft-windows-terminal 1.19.10573
mobaxterm 24.2.0
mRemoteNG 1.76.20.24615
my_program 1.0.0
netfx-4.8 4.8.0.20220524
netfx-4.8.1 4.8.1
netfx-4.8-devpack 4.8.0.20190930
nodejs-lts 22.11.0
nuget.commandline 6.12.1
paint.net 5.0.12
putty 0.80.0
putty.portable 0.80.0
ripgrep 14.1.0
tool.external.chocolateygui 2.2.0
transifex-cli 1.6.17
treesizefree 4.7.3.1
vcredist140 14.38.33135
virtualbox 7.0.20
virtualbox-guest-additions-guest.install 7.0.20
visualstudio2019buildtools 16.11.42
visualstudio-installer 2.0.3
wixtoolset 3.14.1
51 packages installed.
Output Log
This is how to reproduce the problem.
C:\work>choco source add -n=local -s=http://localhost:8080/ --user philippe --password éçù
Chocolatey v2.4.1
Added local - http://localhost:8080/ (Priority 0)
C:\work>choco install --yes --verbose --debug toto
Chocolatey v2.4.1
Chocolatey is running on Windows v 6.2.9200.0
Attempting to delete file "C:/ProgramData/chocolatey/bin/choco.exe.old".
Attempting to delete file "C:\ProgramData\chocolatey\bin\choco.exe.old".
Command line: choco install --yes --verbose --debug toto
Received arguments: install --yes --verbose --debug toto
RemovePendingPackagesTask is now ready and waiting for PreRunMessage.
Sending message 'PreRunMessage' out if there are subscribers...
[Pending] Removing all pending packages that should not be considered installed...
Performing validation checks.
Global Configuration Validation Checks:
- Package Exit Code / Exit On Reboot = Checked
System State Validation Checks:
Reboot Requirement Checks:
- Pending Computer Rename = Checked
- Pending Component Based Servicing = Checked
- Pending Windows Auto Update = Checked
- Pending File Rename Operations = Ignored
- Pending Windows Package Installer = Checked
- Pending Windows Package Installer SysWow64 = Checked
Cache Folder Lockdown Checks:
- Elevated State = Checked
- Folder Exists = Checked
- Folder lockdown = Checked
The source 'http://localhost:8080/' evaluated to a 'normal' source type
NOTE: Hiding sensitive configuration data! Please double and triple
check to be sure no sensitive data is shown, especially if copying
output to a gist for review.
Configuration: CommandName='install'|
CacheLocation='C:\Users\g582619\AppData\Local\Temp\chocolatey'|
CommandExecutionTimeoutSeconds='2700'|WebRequestTimeoutSeconds='30'|
Sources='http://localhost:8080/'|SourceType='normal'|
IncludeConfiguredSources='False'|ShowOnlineHelp='False'|Debug='True'|
Verbose='True'|Trace='False'|Force='False'|Noop='False'|
HelpRequested='False'|UnsuccessfulParsing='False'|RegularOutput='True'|
QuietOutput='False'|PromptForConfirmation='False'|
DisableCompatibilityChecks='False'|AcceptLicense='True'|
AllowUnofficialBuild='False'|Input='toto'|AllVersions='False'|
SkipPackageInstallProvider='False'|SkipHookScripts='False'|
PackageNames='toto'|Prerelease='False'|ForceX86='False'|
OverrideArguments='False'|NotSilent='False'|
ApplyPackageParametersToDependencies='False'|
ApplyInstallArgumentsToDependencies='False'|IgnoreDependencies='False'|
CacheExpirationInMinutes='30'|AllowDowngrade='False'|
ForceDependencies='False'|PinPackage='False'|
Information.PlatformType='Windows'|
Information.PlatformVersion='6.2.9200.0'|
Information.PlatformName='Windows 8'|
Information.ChocolateyVersion='2.4.1.0'|
Information.ChocolateyProductVersion='2.4.1'|
Information.FullName='choco, Version=2.4.1.0, Culture=neutral, PublicKeyToken=79d02ea9cad655eb'|
Information.Is64BitOperatingSystem='True'|
Information.Is64BitProcess='True'|Information.IsInteractive='True'|
Information.IsUserAdministrator='True'|
Information.IsUserSystemAccount='False'|
Information.IsUserRemoteDesktop='False'|
Information.IsUserRemote='False'|Information.IsProcessElevated='True'|
Information.IsLicensedVersion='False'|
Information.IsLicensedAssemblyLoaded='False'|
Information.LicenseType='Foss'|Information.CurrentDirectory='C:\work'|
Features.AutoUninstaller='True'|Features.ChecksumFiles='True'|
Features.AllowEmptyChecksums='False'|
Features.AllowEmptyChecksumsSecure='True'|
Features.FailOnAutoUninstaller='False'|
Features.FailOnStandardError='False'|Features.UsePowerShellHost='True'|
Features.LogEnvironmentValues='False'|Features.LogWithoutColor='False'|
Features.VirusCheck='False'|
Features.FailOnInvalidOrMissingLicense='False'|
Features.IgnoreInvalidOptionsSwitches='True'|
Features.UsePackageExitCodes='True'|
Features.UseEnhancedExitCodes='False'|
Features.UseFipsCompliantChecksums='False'|
Features.ShowNonElevatedWarnings='True'|
Features.ShowDownloadProgress='True'|
Features.StopOnFirstPackageFailure='False'|
Features.UseRememberedArgumentsForUpgrades='False'|
Features.IgnoreUnfoundPackagesOnUpgradeOutdated='False'|
Features.SkipPackageUpgradesWhenNotInstalled='False'|
Features.RemovePackageInformationOnUninstall='False'|
Features.ExitOnRebootDetected='False'|
Features.LogValidationResultsOnWarnings='True'|
Features.UsePackageRepositoryOptimizations='True'|
Features.UsePackageHashValidation='False'|
ListCommand.LocalOnly='False'|
ListCommand.IdOnly='False'|ListCommand.IncludeRegistryPrograms='False'|
ListCommand.PageSize='25'|ListCommand.Exact='False'|
ListCommand.ByIdOnly='False'|ListCommand.ByTagOnly='False'|
ListCommand.IdStartsWith='False'|ListCommand.OrderByPopularity='False'|
ListCommand.ApprovedOnly='False'|
ListCommand.DownloadCacheAvailable='False'|
ListCommand.NotBroken='False'|
ListCommand.IncludeVersionOverrides='False'|
ListCommand.ExplicitPageSize='False'|
ListCommand.ExplicitSource='False'|
UpgradeCommand.FailOnUnfound='False'|
UpgradeCommand.FailOnNotInstalled='False'|
UpgradeCommand.NotifyOnlyAvailableUpgrades='False'|
UpgradeCommand.ExcludePrerelease='False'|
UpgradeCommand.IgnorePinned='False'|
NewCommand.AutomaticPackage='False'|
NewCommand.UseOriginalTemplate='False'|SourceCommand.Command='unknown'|
SourceCommand.Priority='0'|SourceCommand.BypassProxy='False'|
SourceCommand.AllowSelfService='False'|
SourceCommand.VisibleToAdminsOnly='False'|
FeatureCommand.Command='unknown'|ConfigCommand.Command='Unknown'|
ApiKeyCommand.Command='Unknown'|PinCommand.Command='Unknown'|
OutdatedCommand.IgnorePinned='False'|
ExportCommand.IncludeVersionNumbers='False'|Proxy.BypassOnLocal='True'|
TemplateCommand.Command='unknown'|CacheCommand.Command='Unknown'|
CacheCommand.RemoveExpiredItemsOnly='False'|
_ Chocolatey:ChocolateyInstallCommand - Normal Run Mode _
Installing the following packages:
toto
By installing, you accept licenses for the packages.
Process Tree: Chocolatey CLI => cmd => WindowsTerminal => explorer
Updating User Agent to 'Chocolatey Command Line/2.4.1 via NuGet Client/6.4.1 (Microsoft Windows NT 6.2.9200.0)'.
Running list with the following filter = ''
--- Start of List ---
Process Tree: Chocolatey CLI => cmd => WindowsTerminal => explorer
Updating User Agent to 'Chocolatey Command Line/2.4.1 via NuGet Client/6.4.1 (Microsoft Windows NT 6.2.9200.0)'.
Resolving resource PackageSearchResource for source C:\ProgramData\chocolatey\lib
checksum 0.3.1
chocolatey 2.4.1
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
chocolatey-dotnetfx.extension 1.0.1
chocolatey-visualstudio.extension 1.11.1
chocolatey-windowsupdate.extension 1.0.5
curl 7.68.0
dependencies 1.11.1
DotNet3.5 3.5.20241212
dotnet-9.0-sdk 9.0.100
dotnet-9.0-sdk-1xx 9.0.100
dotnetfx 4.8.0.20220524
dotnet-sdk 9.0.100
doxygen.install 1.11.0
git 2.44.0
git.install 2.44.0
graphviz 12.0.0
idemia-choco-stat.hook 0.1.0
InkScape 1.3.2
InnoSetup 6.3.2
KB2919355 1.0.20160915
KB2919442 1.0.20160915
KB2999226 1.0.20181019
KB3033929 1.0.5
KB3035131 1.0.3
kdenlive 24.5.2
lsd 1.1.2
make 4.4.1
microsoft-windows-terminal 1.19.10573
mobaxterm 24.2.0
mRemoteNG 1.76.20.24615
my_program 1.0.0
netfx-4.8 4.8.0.20220524
netfx-4.8.1 4.8.1
netfx-4.8-devpack 4.8.0.20190930
nodejs-lts 22.11.0
nuget.commandline 6.12.1
paint.net 5.0.12
putty 0.80.0
putty.portable 0.80.0
ripgrep 14.1.0
tool.external.chocolateygui 2.2.0
transifex-cli 1.6.17
treesizefree 4.7.3.1
vcredist140 14.38.33135
virtualbox 7.0.20
virtualbox-guest-additions-guest.install 7.0.20
visualstudio2019buildtools 16.11.42
visualstudio-installer 2.0.3
wixtoolset 3.14.1
--- End of List ---
Resolving resource ListResource for source http://localhost:8080/
Attempting to gather credentials for 'http://localhost:8080/'
Using saved credentials
Invalid credentials specified.
Attempting to gather credentials for 'http://localhost:8080/'
Using saved credentials
Invalid credentials specified.
Attempting to gather credentials for 'http://localhost:8080/'
Using saved credentials
Invalid credentials specified.
Attempting to gather credentials for 'http://localhost:8080/'
Using saved credentials
[NuGet] GET http://localhost:8080/$metadata
[NuGet] Unauthorized http://localhost:8080/$metadata 4ms
[NuGet] GET http://localhost:8080/Packages()?$filter=(tolower(Id) eq 'toto') and IsLatestVersion&semVerLevel=2.0.0
[NuGet] Unauthorized http://localhost:8080/Packages()?$filter=(tolower(Id) eq 'toto') and IsLatestVersion&semVerLevel=2.0.0 4ms
Unable to connect to source 'http://localhost:8080/':
NuGet.Protocol.Core.Types.FatalProtocolException: Failed to fetch results from V2 feed at 'http://localhost:8080/Packages()?$filter=(tolower(Id)%20eq%20'toto')%20and%20IsLatestVersion&semVerLevel=2.0.0' with following message : Response status code does not indicate success: 401 (Unauthorized). ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at NuGet.Protocol.HttpSource.<>c__DisplayClass15_0`1.<<GetAsync>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Common.ConcurrencyUtilities.<ExecuteWithFileLockedAsync>d__6`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at NuGet.Common.ConcurrencyUtilities.<ExecuteWithFileLockedAsync>d__6`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Common.ConcurrencyUtilities.<ExecuteWithFileLockedAsync>d__5`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.HttpSource.<GetAsync>d__15`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.V2FeedParser.<LoadXmlAsync>d__91.MoveNext()
--- End of inner exception stack trace ---
at NuGet.Protocol.V2FeedParser.<LoadXmlAsync>d__91.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at NuGet.Protocol.V2FeedParser.<QueryV2FeedAsync>d__89.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.V2FeedParser.<GetPackagesPageAsync>d__77.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.V2FeedListResource.<PackageAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at chocolatey.infrastructure.app.nuget.NugetList.<>c__DisplayClass20_1.<FindPackage>b__1()
at chocolatey.infrastructure.tolerance.FaultTolerance.TryCatchWithLoggingException[T](Func`1 function, String errorMessage, Boolean throwError, Boolean logWarningInsteadOfError, Boolean logDebugInsteadOfError, Boolean isSilent)
toto not installed. The package was not found with the source(s) listed.
Source(s): 'http://localhost:8080/'
NOTE: When you specify explicit sources, it overrides default sources.
If the package version is a prerelease and you didn't specify `--pre`,
the package may not be found.
Please see https://docs.chocolatey.org/en-us/troubleshooting for more
assistance.
Chocolatey installed 0/1 packages. 1 packages failed.
See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
Failures
- toto - toto not installed. The package was not found with the source(s) listed.
Source(s): 'http://localhost:8080/'
NOTE: When you specify explicit sources, it overrides default sources.
If the package version is a prerelease and you didn't specify `--pre`,
the package may not be found.
Please see https://docs.chocolatey.org/en-us/troubleshooting for more
assistance.
Sending message 'PostRunMessage' out if there are subscribers...
Exiting with 1
And the output on the server side :
127.0.0.1 - - [14/Jan/2025 11:37:04] "GET /Packages()?$filter=(tolower(Id)%20eq%20'toto')%20and%20IsLatestVersion&semVerLevel=2.0.0 HTTP/1.1" 401 -
Accept: application/atom+xml, application/xml
X-NuGet-Session-Id: a23cc716-931a-4012-a325-224cc37b1e08
user-agent: Chocolatey Command Line/2.4.1 via NuGet Client/6.4.1 (Microsoft Windows NT 6.2.9200.0)
X-NuGet-Client-Version: 6.4.1
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Authorization: Basic cGhpbGlwcGU66ef5
Host: localhost:8080
Connection: Keep-Alive
Decoding header for `Authorization`
Authorization (binary encoded): b'philippe:\xe9\xe7\xf9'
ERROR, could not decode Authorization header in UTF8
Authorization (latin1 decoded): philippe:éçù
127.0.0.1 - - [14/Jan/2025 11:37:04] "GET /Packages()?$filter=(tolower(Id)%20eq%20'toto')%20and%20IsLatestVersion&semVerLevel=2.0.0 HTTP/1.1" 401 -
Additional Context
I tracked this down because I really need chocolatey to authenticate to nexus for all our users.
The password is correctly read by chocolatey, an object NetworkCredential with the correct password is passed to WebRequest .
So this is actually a .NET Framework bug, which I was able to reproduce quite simply. The bug is present in .NET Framework 4.8.1 but not in .NET 5 and above .
The problem is that .NET incorrectly encodes the authentication header in the http request. It's kind of a grey area but most servers and at least nexus expect the authentication header to contain user + password, in UTF8, base64 encoded . It looks like .NET 4.8.1 uses a different encoding, probably a reinterpretation of UTF16 but I am not clear on that part.
A simple way to reproduce the problem :
- run the attached python file, simulating a server.
- choco source add local -s http://localhost:8080/ -n local --user philippe --password éçù
- choco install toto
The installation will fail but the interesting part is on the python server : it shows you that it could not decode the Authentication header in UTF8
I attach also a simple CS file to reproduce the problem more simply with the same python server.
And last but not least, I have a workaround for this. Not a pretty one. Basically, .NET Framework 4.8 incorrectly interprets NetwordCredential objects with a password containing non ASCII characters. By cheating on the password value, it's possible to have .NET issue the correct authentication header .
It looks like this :
string orig_pwd = "éçùèऀ§";
string pwd = Encoding.GetEncoding(1252).GetString(Encoding.UTF8.GetBytes(orig_pwd));
NetworkCredential myCred = new NetworkCredential("philippe", pwd);
I'll submit a PR sometimes for this