Skip to content

Chocolatey does not handle passwords with non ASCII characters when interacting with authenticating sources #3600

@pfremy

Description

@pfremy

Checklist

  • I confirm there are no unresolved issues reported on the Chocolatey Status page.
  • I have verified this is the correct repository for opening this issue.
  • I have verified no other issues exist related to my problem.
  • I have verified this is not an issue for a specific package.
  • I have verified this issue is not security related.
  • I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

French here, some of our users are using french characters ( éèàù§... ) in their passwords. And our nexus server serving chocolatey packages requires authentication.

Problem : those users enter their correct password but it fails to authenticate correctly.

This applies to both interactive prompt for user/password or user/password stored with source add --user --password

What is Expected?

Users having password with non ascii characters should still be able to use chocolatey with authenticating repositories

How Did You Get This To Happen?

Interactive :

  1. Add a source to chocolatey requiring authentication
  2. call : choco install toto
  3. choco connects to the source, realize authentication is needed and asks user for his login / password
  4. User types his correct login and correct password (which includes non ascii characters)
  5. Chocolatey still fails to authenticate with the authenticating source, asks for credential again

Non Interactive :

  1. Add a source to chocolatey requiring authentication with user/password information, and a password containing non ascii characters
  2. call : choco install toto
  3. choco connects to the source and uses the provided credential
  4. Chocolatey still fails to authenticate with the authenticating source and fails to install the package

System Details

  • Operating System: 10.0.22631.0
  • Windows PowerShell version:
Name                           Value
----                           -----
PSVersion                      5.1.22621.4391
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.4391
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

  • Chocolatey CLI Version: 2.4.1

  • Chocolatey Licensed Extension version:

  Chocolatey v2.4.1
  0 packages installed.
  • Chocolatey License type: None
  • Terminal/Emulator: Windows Terminal

Installed Packages

PS C:\work\chocolatey\sources\choco_vIDEMIA> choco list
Chocolatey v2.4.1
checksum 0.3.1
chocolatey 2.4.1
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
chocolatey-dotnetfx.extension 1.0.1
chocolatey-visualstudio.extension 1.11.1
chocolatey-windowsupdate.extension 1.0.5
curl 7.68.0
dependencies 1.11.1
DotNet3.5 3.5.20241212
dotnet-9.0-sdk 9.0.100
dotnet-9.0-sdk-1xx 9.0.100
dotnetfx 4.8.0.20220524
dotnet-sdk 9.0.100
doxygen.install 1.11.0
git 2.44.0
git.install 2.44.0
graphviz 12.0.0
idemia-choco-stat.hook 0.1.0
InkScape 1.3.2
InnoSetup 6.3.2
KB2919355 1.0.20160915
KB2919442 1.0.20160915
KB2999226 1.0.20181019
KB3033929 1.0.5
KB3035131 1.0.3
kdenlive 24.5.2
lsd 1.1.2
make 4.4.1
microsoft-windows-terminal 1.19.10573
mobaxterm 24.2.0
mRemoteNG 1.76.20.24615
my_program 1.0.0
netfx-4.8 4.8.0.20220524
netfx-4.8.1 4.8.1
netfx-4.8-devpack 4.8.0.20190930
nodejs-lts 22.11.0
nuget.commandline 6.12.1
paint.net 5.0.12
putty 0.80.0
putty.portable 0.80.0
ripgrep 14.1.0
tool.external.chocolateygui 2.2.0
transifex-cli 1.6.17
treesizefree 4.7.3.1
vcredist140 14.38.33135
virtualbox 7.0.20
virtualbox-guest-additions-guest.install 7.0.20
visualstudio2019buildtools 16.11.42
visualstudio-installer 2.0.3
wixtoolset 3.14.1
51 packages installed.

Output Log

This is how to reproduce the problem.

C:\work>choco source add -n=local -s=http://localhost:8080/ --user philippe --password éçù
Chocolatey v2.4.1
Added local - http://localhost:8080/ (Priority 0)

C:\work>choco install --yes --verbose --debug toto
Chocolatey v2.4.1
Chocolatey is running on Windows v 6.2.9200.0
Attempting to delete file "C:/ProgramData/chocolatey/bin/choco.exe.old".
Attempting to delete file "C:\ProgramData\chocolatey\bin\choco.exe.old".
Command line: choco  install --yes --verbose --debug toto
Received arguments: install --yes --verbose --debug toto
RemovePendingPackagesTask is now ready and waiting for PreRunMessage.
Sending message 'PreRunMessage' out if there are subscribers...
[Pending] Removing all pending packages that should not be considered installed...
Performing validation checks.
Global Configuration Validation Checks:
 - Package Exit Code / Exit On Reboot = Checked
System State Validation Checks:
 Reboot Requirement Checks:
 - Pending Computer Rename = Checked
 - Pending Component Based Servicing = Checked
 - Pending Windows Auto Update = Checked
 - Pending File Rename Operations = Ignored
 - Pending Windows Package Installer = Checked
 - Pending Windows Package Installer SysWow64 = Checked
Cache Folder Lockdown Checks:
 - Elevated State = Checked
 - Folder Exists = Checked
 - Folder lockdown = Checked
The source 'http://localhost:8080/' evaluated to a 'normal' source type

NOTE: Hiding sensitive configuration data! Please double and triple
 check to be sure no sensitive data is shown, especially if copying
 output to a gist for review.
Configuration: CommandName='install'|
CacheLocation='C:\Users\g582619\AppData\Local\Temp\chocolatey'|
CommandExecutionTimeoutSeconds='2700'|WebRequestTimeoutSeconds='30'|
Sources='http://localhost:8080/'|SourceType='normal'|
IncludeConfiguredSources='False'|ShowOnlineHelp='False'|Debug='True'|
Verbose='True'|Trace='False'|Force='False'|Noop='False'|
HelpRequested='False'|UnsuccessfulParsing='False'|RegularOutput='True'|
QuietOutput='False'|PromptForConfirmation='False'|
DisableCompatibilityChecks='False'|AcceptLicense='True'|
AllowUnofficialBuild='False'|Input='toto'|AllVersions='False'|
SkipPackageInstallProvider='False'|SkipHookScripts='False'|
PackageNames='toto'|Prerelease='False'|ForceX86='False'|
OverrideArguments='False'|NotSilent='False'|
ApplyPackageParametersToDependencies='False'|
ApplyInstallArgumentsToDependencies='False'|IgnoreDependencies='False'|
CacheExpirationInMinutes='30'|AllowDowngrade='False'|
ForceDependencies='False'|PinPackage='False'|
Information.PlatformType='Windows'|
Information.PlatformVersion='6.2.9200.0'|
Information.PlatformName='Windows 8'|
Information.ChocolateyVersion='2.4.1.0'|
Information.ChocolateyProductVersion='2.4.1'|
Information.FullName='choco, Version=2.4.1.0, Culture=neutral, PublicKeyToken=79d02ea9cad655eb'|

Information.Is64BitOperatingSystem='True'|
Information.Is64BitProcess='True'|Information.IsInteractive='True'|
Information.IsUserAdministrator='True'|
Information.IsUserSystemAccount='False'|
Information.IsUserRemoteDesktop='False'|
Information.IsUserRemote='False'|Information.IsProcessElevated='True'|
Information.IsLicensedVersion='False'|
Information.IsLicensedAssemblyLoaded='False'|
Information.LicenseType='Foss'|Information.CurrentDirectory='C:\work'|
Features.AutoUninstaller='True'|Features.ChecksumFiles='True'|
Features.AllowEmptyChecksums='False'|
Features.AllowEmptyChecksumsSecure='True'|
Features.FailOnAutoUninstaller='False'|
Features.FailOnStandardError='False'|Features.UsePowerShellHost='True'|
Features.LogEnvironmentValues='False'|Features.LogWithoutColor='False'|
Features.VirusCheck='False'|
Features.FailOnInvalidOrMissingLicense='False'|
Features.IgnoreInvalidOptionsSwitches='True'|
Features.UsePackageExitCodes='True'|
Features.UseEnhancedExitCodes='False'|
Features.UseFipsCompliantChecksums='False'|
Features.ShowNonElevatedWarnings='True'|
Features.ShowDownloadProgress='True'|
Features.StopOnFirstPackageFailure='False'|
Features.UseRememberedArgumentsForUpgrades='False'|
Features.IgnoreUnfoundPackagesOnUpgradeOutdated='False'|
Features.SkipPackageUpgradesWhenNotInstalled='False'|
Features.RemovePackageInformationOnUninstall='False'|
Features.ExitOnRebootDetected='False'|
Features.LogValidationResultsOnWarnings='True'|
Features.UsePackageRepositoryOptimizations='True'|
Features.UsePackageHashValidation='False'|
ListCommand.LocalOnly='False'|
ListCommand.IdOnly='False'|ListCommand.IncludeRegistryPrograms='False'|
ListCommand.PageSize='25'|ListCommand.Exact='False'|
ListCommand.ByIdOnly='False'|ListCommand.ByTagOnly='False'|
ListCommand.IdStartsWith='False'|ListCommand.OrderByPopularity='False'|
ListCommand.ApprovedOnly='False'|
ListCommand.DownloadCacheAvailable='False'|
ListCommand.NotBroken='False'|
ListCommand.IncludeVersionOverrides='False'|
ListCommand.ExplicitPageSize='False'|
ListCommand.ExplicitSource='False'|
UpgradeCommand.FailOnUnfound='False'|
UpgradeCommand.FailOnNotInstalled='False'|
UpgradeCommand.NotifyOnlyAvailableUpgrades='False'|
UpgradeCommand.ExcludePrerelease='False'|
UpgradeCommand.IgnorePinned='False'|
NewCommand.AutomaticPackage='False'|
NewCommand.UseOriginalTemplate='False'|SourceCommand.Command='unknown'|
SourceCommand.Priority='0'|SourceCommand.BypassProxy='False'|
SourceCommand.AllowSelfService='False'|
SourceCommand.VisibleToAdminsOnly='False'|
FeatureCommand.Command='unknown'|ConfigCommand.Command='Unknown'|
ApiKeyCommand.Command='Unknown'|PinCommand.Command='Unknown'|
OutdatedCommand.IgnorePinned='False'|
ExportCommand.IncludeVersionNumbers='False'|Proxy.BypassOnLocal='True'|
TemplateCommand.Command='unknown'|CacheCommand.Command='Unknown'|
CacheCommand.RemoveExpiredItemsOnly='False'|
_ Chocolatey:ChocolateyInstallCommand - Normal Run Mode _
Installing the following packages:
toto
By installing, you accept licenses for the packages.
Process Tree: Chocolatey CLI => cmd => WindowsTerminal => explorer
Updating User Agent to 'Chocolatey Command Line/2.4.1 via NuGet Client/6.4.1 (Microsoft Windows NT 6.2.9200.0)'.
Running list with the following filter = ''
--- Start of List ---
Process Tree: Chocolatey CLI => cmd => WindowsTerminal => explorer
Updating User Agent to 'Chocolatey Command Line/2.4.1 via NuGet Client/6.4.1 (Microsoft Windows NT 6.2.9200.0)'.
Resolving resource PackageSearchResource for source C:\ProgramData\chocolatey\lib
checksum 0.3.1
chocolatey 2.4.1
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
chocolatey-dotnetfx.extension 1.0.1
chocolatey-visualstudio.extension 1.11.1
chocolatey-windowsupdate.extension 1.0.5
curl 7.68.0
dependencies 1.11.1
DotNet3.5 3.5.20241212
dotnet-9.0-sdk 9.0.100
dotnet-9.0-sdk-1xx 9.0.100
dotnetfx 4.8.0.20220524
dotnet-sdk 9.0.100
doxygen.install 1.11.0
git 2.44.0
git.install 2.44.0
graphviz 12.0.0
idemia-choco-stat.hook 0.1.0
InkScape 1.3.2
InnoSetup 6.3.2
KB2919355 1.0.20160915
KB2919442 1.0.20160915
KB2999226 1.0.20181019
KB3033929 1.0.5
KB3035131 1.0.3
kdenlive 24.5.2
lsd 1.1.2
make 4.4.1
microsoft-windows-terminal 1.19.10573
mobaxterm 24.2.0
mRemoteNG 1.76.20.24615
my_program 1.0.0
netfx-4.8 4.8.0.20220524
netfx-4.8.1 4.8.1
netfx-4.8-devpack 4.8.0.20190930
nodejs-lts 22.11.0
nuget.commandline 6.12.1
paint.net 5.0.12
putty 0.80.0
putty.portable 0.80.0
ripgrep 14.1.0
tool.external.chocolateygui 2.2.0
transifex-cli 1.6.17
treesizefree 4.7.3.1
vcredist140 14.38.33135
virtualbox 7.0.20
virtualbox-guest-additions-guest.install 7.0.20
visualstudio2019buildtools 16.11.42
visualstudio-installer 2.0.3
wixtoolset 3.14.1
--- End of List ---
Resolving resource ListResource for source http://localhost:8080/
Attempting to gather credentials for 'http://localhost:8080/'
Using saved credentials
Invalid credentials specified.
Attempting to gather credentials for 'http://localhost:8080/'
Using saved credentials
Invalid credentials specified.
Attempting to gather credentials for 'http://localhost:8080/'
Using saved credentials
Invalid credentials specified.
Attempting to gather credentials for 'http://localhost:8080/'
Using saved credentials
[NuGet]   GET http://localhost:8080/$metadata
[NuGet]   Unauthorized http://localhost:8080/$metadata 4ms
[NuGet]   GET http://localhost:8080/Packages()?$filter=(tolower(Id) eq 'toto') and IsLatestVersion&semVerLevel=2.0.0
[NuGet]   Unauthorized http://localhost:8080/Packages()?$filter=(tolower(Id) eq 'toto') and IsLatestVersion&semVerLevel=2.0.0 4ms
Unable to connect to source 'http://localhost:8080/':
 NuGet.Protocol.Core.Types.FatalProtocolException: Failed to fetch results from V2 feed at 'http://localhost:8080/Packages()?$filter=(tolower(Id)%20eq%20'toto')%20and%20IsLatestVersion&semVerLevel=2.0.0' with following message : Response status code does not indicate success: 401 (Unauthorized). ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).
   at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
   at NuGet.Protocol.HttpSource.<>c__DisplayClass15_0`1.<<GetAsync>b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NuGet.Common.ConcurrencyUtilities.<ExecuteWithFileLockedAsync>d__6`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at NuGet.Common.ConcurrencyUtilities.<ExecuteWithFileLockedAsync>d__6`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NuGet.Common.ConcurrencyUtilities.<ExecuteWithFileLockedAsync>d__5`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NuGet.Protocol.HttpSource.<GetAsync>d__15`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NuGet.Protocol.V2FeedParser.<LoadXmlAsync>d__91.MoveNext()
   --- End of inner exception stack trace ---
   at NuGet.Protocol.V2FeedParser.<LoadXmlAsync>d__91.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at NuGet.Protocol.V2FeedParser.<QueryV2FeedAsync>d__89.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NuGet.Protocol.V2FeedParser.<GetPackagesPageAsync>d__77.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at NuGet.Protocol.V2FeedListResource.<PackageAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at chocolatey.infrastructure.app.nuget.NugetList.<>c__DisplayClass20_1.<FindPackage>b__1()
   at chocolatey.infrastructure.tolerance.FaultTolerance.TryCatchWithLoggingException[T](Func`1 function, String errorMessage, Boolean throwError, Boolean logWarningInsteadOfError, Boolean logDebugInsteadOfError, Boolean isSilent)
toto not installed. The package was not found with the source(s) listed.
 Source(s): 'http://localhost:8080/'
 NOTE: When you specify explicit sources, it overrides default sources.
If the package version is a prerelease and you didn't specify `--pre`,
 the package may not be found.
Please see https://docs.chocolatey.org/en-us/troubleshooting for more
 assistance.

Chocolatey installed 0/1 packages. 1 packages failed.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Failures
 - toto - toto not installed. The package was not found with the source(s) listed.
 Source(s): 'http://localhost:8080/'
 NOTE: When you specify explicit sources, it overrides default sources.
If the package version is a prerelease and you didn't specify `--pre`,
 the package may not be found.
Please see https://docs.chocolatey.org/en-us/troubleshooting for more
 assistance.
Sending message 'PostRunMessage' out if there are subscribers...
Exiting with 1

And the output on the server side :

127.0.0.1 - - [14/Jan/2025 11:37:04] "GET /Packages()?$filter=(tolower(Id)%20eq%20'toto')%20and%20IsLatestVersion&semVerLevel=2.0.0 HTTP/1.1" 401 -
Accept: application/atom+xml, application/xml
X-NuGet-Session-Id: a23cc716-931a-4012-a325-224cc37b1e08
user-agent: Chocolatey Command Line/2.4.1 via NuGet Client/6.4.1 (Microsoft Windows NT 6.2.9200.0)
X-NuGet-Client-Version: 6.4.1
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Authorization: Basic cGhpbGlwcGU66ef5
Host: localhost:8080
Connection: Keep-Alive


Decoding header for `Authorization`
Authorization (binary encoded):  b'philippe:\xe9\xe7\xf9'
ERROR, could not decode Authorization header in UTF8
Authorization (latin1 decoded): philippe:éçù
127.0.0.1 - - [14/Jan/2025 11:37:04] "GET /Packages()?$filter=(tolower(Id)%20eq%20'toto')%20and%20IsLatestVersion&semVerLevel=2.0.0 HTTP/1.1" 401 -

Additional Context

I tracked this down because I really need chocolatey to authenticate to nexus for all our users.

The password is correctly read by chocolatey, an object NetworkCredential with the correct password is passed to WebRequest .

So this is actually a .NET Framework bug, which I was able to reproduce quite simply. The bug is present in .NET Framework 4.8.1 but not in .NET 5 and above .

The problem is that .NET incorrectly encodes the authentication header in the http request. It's kind of a grey area but most servers and at least nexus expect the authentication header to contain user + password, in UTF8, base64 encoded . It looks like .NET 4.8.1 uses a different encoding, probably a reinterpretation of UTF16 but I am not clear on that part.

A simple way to reproduce the problem :

  1. run the attached python file, simulating a server.
  2. choco source add local -s http://localhost:8080/ -n local --user philippe --password éçù
  3. choco install toto

The installation will fail but the interesting part is on the python server : it shows you that it could not decode the Authentication header in UTF8

I attach also a simple CS file to reproduce the problem more simply with the same python server.

And last but not least, I have a workaround for this. Not a pretty one. Basically, .NET Framework 4.8 incorrectly interprets NetwordCredential objects with a password containing non ASCII characters. By cheating on the password value, it's possible to have .NET issue the correct authentication header .

It looks like this :

            string orig_pwd = "éçùèऀ§";
            string pwd = Encoding.GetEncoding(1252).GetString(Encoding.UTF8.GetBytes(orig_pwd));
            NetworkCredential myCred = new NetworkCredential("philippe", pwd);

I'll submit a PR sometimes for this

Metadata

Metadata

Assignees

Labels

3 - ReviewBugRequires Upstream ChangeRequires changes to a different location once issue is fixed or implemented

Type

No type

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions