Incorrect parsing for HTTPS_PROXY uris with userinfo but not password #3972
Description
Version
Encountered via uv's autoupdate functionality, present in the most recent version of uv.
Platform
Windows WSL2 with Ubuntu 22.04 distribution.
Description
(Apologies if this is the wrong place, I had to make a few inferences/assumptions to get to this point...)
At my place of employment, we have a proxy. Unproxied access can be blackholed, depending on the particulars of the request.
Our proxy environment variable is set in the form HTTPS_PROXY=http://{user}@{domain}:{port} and in this form uv self update hangs indefinitely, while trying to access https://api.github.com, a domain that is only accessible via the proxy.
Therefore, I realized uv self update was not using the proxy. That depends on axoupdater, which uses reqwest, and I read enough to learn that it is expected to pick up the proxy from the standard environment variable.
After reading more code, I believe that reqwest uses hyper_util for the system proxy variables parsing and matching. And I found the offending line I believe:
https://github.com/hyperium/hyper-util/blob/master/src/client/proxy/matcher.rs#L361
The code expects a colon in the userinfo if present. When I change my proxy variable to HTTPS_PROXY=http://{user}:@{domain}:{port} (note, "@" replaced by ":@"), then uv self update works immediately!
I tried to check whether this is technically valid or not:
RFC 1738 said :<password> was optional.
Newer RFC 3986 said "The userinfo subcomponent may consist of a user name and, optionally, scheme-specific information about how to gain authorization to access the resource." (emphasis mine)
Therefore, I think the form of our proxy variable is valid.
Curl supports this format, and most other apps do too (judging by approx 2.5y personal experience with the variable set in this format).