Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 355587

Summary: Auth for https repositories being sent in the clear to proxy via CONNECT method when downloading indexes
Product: z_Archived Reporter: prunge
Component: m2eAssignee: Project Inbox <m2e.core-inbox>
Status: CLOSED INVALID QA Contact:
Severity: critical    
Priority: P3 CC: igor
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Windows 7   
Whiteboard:
Attachments:
Description Flags
Maven settings.xml.
none
HTTP request/response dump none

Description prunge CLA 2011-08-23 20:40:09 EDT 
Build Identifier: 20110615-0604

After attempting to connect to a remote repository via a proxy server using M2Eclipse, I noticed while looking at the network traffic that authentication details for the repository are being sent to the proxy server in the clear.  

This is what is defines in settings.xml:

- two proxy server entries, one for http and one for https.  Both go to the same address.
- a mirror for a remote nexus repository that mirrors central - all requests for central should go to that repository.  This mirror is via https.
- username and password for the mirror nexus repository.
- the same proxy has been configured in the Eclipse general settings.  Confirmed to work as I managed to download and install the M2Eclipse plugin using that proxy.

This is what I see happening:

- I force M2Eclipse to download indexes by clicking on the Update Settings button in the Maven / User Settings configuration page in Eclipse's Window Preferences.
- I get a message in the error log "Unable to update index for nexus|https://www.mynexusrepo.com/nexus/content/groups/public"

Using the Wireshark packet sniffer, I see the following network traffic:

Request:
CONNECT www.mynexusrepo.com:443 HTTP/1.0
Host: www.mynexusrepo.com
Authorization: Basic YXVzZXI6cGFzczEyMw==
Connection: keep-alive
Proxy-Connection: keep-alive
Accept: */*
User-Agent: m2e/3.7.0.v20110613/1.0.0.20110607-2117

Response:
HTTP/1.1 407 Proxy Access Denied
Expires: 0
(snip additional headers)

The problem is that my repository authorization details, which should be transmitted only via an encrypted HTTPS channel, are actually being sent across the network in the clear to the proxy.  The Authorization header should not be transmitted as part of the CONNECT to the proxy, only in encrypted tunneled requests after the tunnel has been established.  Anyone sniffing my network traffic would now have the username and password to my repository, defeating the purpose of using HTTPS.

(note server names, user name and password has been changed but that shouldn't affect the test as long as there is a working proxy configured)

Reproducible: Always

Steps to Reproduce:
1. Unzipped and ran fresh copy of Eclipse 3.7 (20110615-0604).
2. Installed M2Eclipse from marketplace (1.0.0.20110607-2117).
3. After restarting Eclipse, went into Window, Preferences, pressed Update Settings button under Maven, User Settings.
4. Observe "Unable to update index" error in error log that indicates network communication has occurred.
Comment 1 prunge CLA 2011-08-23 20:43:09 EDT 
Created attachment 202044 [details]
Maven settings.xml.

Attached maven settings.xml (repo URL, username, password changed from the real ones).
Comment 2 prunge CLA 2011-08-23 20:46:14 EDT 
Created attachment 202045 [details]
HTTP request/response dump

Full HTTP request/response to the proxy server.
Comment 3 Igor Fedorenko CLA 2012-05-21 10:53:06 EDT 
Can you check if the problem still exists in recent m2e 1.1 builds?
Comment 4 Igor Fedorenko CLA 2013-09-28 23:59:10 EDT 
closing old/stale bugreports
Comment 5 Denis Roy CLA 2021-04-19 13:26:47 EDT 
Moved to https://github.com/eclipse-m2e/m2e-core/issues/