Description:
You can still use the dashboard after initial installation to change the agent password to something like '@gent' and cause errors;

2008-06-04 07:44:45: (critical) curl_easy_perform('http://agent:@gent@127.0.0.1:18080/merlin/heartbeat') failed: Couldn't resolve host 'gent@127.0.0.1' (code = 6, os-errno = 0)

Similar to bug 26044

How to repeat:
Set the agent password to connect to the dashboard to @gent.

Suggested fix:
Do not allow the use of @ in the password change dialog, or document the inability to handle this.

Could you please expand on the steps to reproduce this?
When I URL-encode the @ in the agent configuration file it works as expected.

Thanks

If you change the password post installation, you then need to update the config file manually.
It is not mentioned in the interface that the password has to be urlencoded, nor does it do it for you so you can paste this into the configuration file.

That is -
 - Install setting password to 'bob'
 - update password using dashboard to '@agent'
 - update config file manually as customer would
 - error as it is not urlencoded.

Could be mentioned in the interface that this is a requirement if a char is in the pw that requires it at least. Its also not documented from what I can tell.

Let's take Adam's suggested fix for now: disallow special characters in Dashboard's Settings/Manage Users password handling. Later, we can remove this limitation once we've addressed the issue on the agent side.

QA: after this bug is verified, assign to Documentation.
Doc: after documenting, change to "to be fixed later" :)

FFR, the list of reserved chars to be escaped:  http://en.wikipedia.org/wiki/Percent-encoding#Types_of_URI_characters

revno: 6214
revision-id: jsled@asynchronous.org-20080819232207-ehwdausx2euoprbj
parent: jsled@asynchronous.org-20080819232117-ezckkom6lgly569l
committer: Josh Sled <jsled@asynchronous.org>
branch nick: local
timestamp: Tue 2008-08-19 19:22:07 -0400
message:
  Bug#37172: test the agent password string for the presence of "[url] reserved" characters, and disallow.  This solution is lame.
modified:
  src/com/mysql/merlin/ui/actions/settings/users/EditUser.java 5804@3c33494c-61f7-0310-86b9-b90697347e9d:trunk;1cbac073fe1d3e0d86211da53921520e8caac861
  src/com/mysql/merlin/ui/helper/ErrorCodeMapping.java errorcodemapping.jav-20080430171212-8vqab07r9l00h4d5-1
  src/resources_en.utf8          resources_en.utf8-20080717185917-kfpwvs7kmp2mb04b-1
  src/resources_ja.utf8          resources_ja.utf8-20080204194215-rjksjbd0fp3oy4sa-1
  test/com/mysql/merlin/ui/actions/settings/users/EditUserTest.java 7159@3c33494c-61f7-0310-86b9-b90697347e9d:trunk;2f58bd6fc03dfd73a79714a19c8b9771561c82cc

(Note action unit test)

An entry was added to the features/changes section of the 2.0 changelog: 

The dashboard could be used to change the agent password to one containing the @ character, or other special characters, which subsequently caused errors. To fix this problem, special characters in passwords are now prevented by the dashboard. The list of disallowed special characters can be found at the following location: http://en.wikipedia.org/wiki/Percent-encoding#Types_of_URI_characters

Michael Schuster writes: 
revno: 1499
committer: michael.schuster@sun.com
branch nick: trunk
timestamp: Tue 2009-10-20 02:15:44 -0700
message:
  EM-2663

Keith Russell writes: 
Patch installed in versions => 2.2.0.1516.

Marcos Palacios writes: 
Tested with service manager build 2.2.0.1517 and agent build 2.2.0.1516.

Test cases are as indicated in "1)" above [see 19/Oct/09 11:27 PM comment]:

Case 1:
agent-mgmt-hostname=http://username@host:port/
agent-mgmt-password=passwd
Result: *Fail*
The agent cannot connect and its log has the following messages:
2009-10-23 12:16:05: (critical) authentication information in agent-mgmt-hostname will be overridden by agent-mgmt-password
2009-10-23 12:16:05: (critical) <-- received HTTP-status: 401 (failed) for 'http://agent@127.0.0.1:18080/heartbeat': authentication credentials incorrect

Case 2:
agent-mgmt-hostname=http://user:pass@host:port/
Result: *Pass*
The agent connects as before; no new log messages.

Case 3:
agent-mgmt-hostname=http://host:port/
agent-mgmt-username=user
agent-mgmt-password=passwd
Result: *Pass*
The agent connects as before; no new log messages.

Case 4:
agent-mgmt-hostname=http://olduser:oldpass@host:port/
agent-mgmt-username=user
agent-mgmt-password=passwd
Result: *Pass*
The agent connects and its log now issues the following message:
2009-10-23 11:37:31: (critical) authentication information in agent-mgmt-hostname will be overridden by agent-mgmt-username

Note:
It still remains to be tested (not in this build yet) the reversal of the limitation in the MEM UI which does not allow special chars in the user password.

Josh Sled writes: 
revno: 7587
revision-id: jsled@asynchronous.org-20091023194933-2j4hhqe0vw0e64x1
parent: jsled@asynchronous.org-20091023183944-69jz60a5hims81l6
committer: Josh Sled <jsled@asynchronous.org>
branch nick: local
timestamp: Fri 2009-10-23 15:49:33 -0400
message:
  EM-3524, EM-2663 related: no longer filter "reserved" agent password characters.

Marcos Palacios writes: 
Verified that as of build 2.2.0.1518, the MEM UI no longer filters "reserved" (special) agent password characters.

Andy Bang writes: 
Seems to be related to Bug #48219 - MEM upgrader does not escape special characters.

Michael Schuster writes: 
I think I was overoptimistic when I wrote my initial comment about "behaviour". as it turns out one cannot mix and match "old" and "new" styles, curl will remove anything before and including the "@" in agent-mgmt-hostname if either -username or -password are present. For completeness sake, here are the valid combinations (a limited quote from that same comment):

agent-mgmt-hostname=http://user:pass@host:port/

and

agent-mgmt-hostname=http://host:port/
agent-mgmt-username=user
agent-mgmt-password=passwd

are all valid combinations.

if used like this:

agent-mgmt-hostname=http://olduser:oldpass@host:port/
agent-mgmt-username=user
agent-mgmt-password=passwd

olduser and oldpass will be ignored.

Michael Schuster writes: 
no new code, just changed allowed modes

Michael Schuster writes: 
Alas, the situation with "mixed mode" is not as clear-cut as we'd like; if we use libcurl versions older than 7.19.01, we are restricted to either 

    agent-mgmt-hostname=http://user:pass@host:port/
or
    agent-mgmt-hostname=http://host:port/
    agent-mgmt-username=user
    agent-mgmt-password=passwd

newer versions though *do* accept constructs like

    agent-mgmt-hostname=http://username@host:port/
    agent-mgmt-password=passwd
or
    agent-mgmt-hostname=http://:pass@host:port/
    agent-mgmt-username=user

This is due to the introduction of curl options CURLOPT_USERNAME and CURLOPT_PASSWORD, which made the more liberal handling possible. Before that, CURLOPT_USERPWD was the only way to set username/password information, and this option exhibits an all-or-nothing approach: when it's used, anything before the @ in the URL is ignored.

Note that the newer version needs to be present at compile- *and* at run-time to get the new behaviour.

Keith Russell writes: 
Patch installed in versions => 2.2.0.1538.

Marcos Palacios writes: 
Verified fixed in agent build 2.2.0.1538.

Notice (as explained in the latest comment from Dev) that "mixed mode" is not supported.

Marcos Palacios writes: 
Notice that if used like this:

agent-mgmt-hostname=http://olduser:oldpass@host:port/
agent-mgmt-username=user
agent-mgmt-password=passwd

You get the following error message:
2009-11-16 16:55:47: (critical) no authentication information allowed in agent-mgmt-hostname if agent-mgmt-username and agent-mgmt-password are given
2009-11-16 16:55:47: (critical) chassis.c:894: Failure from chassis_mainloop. Shutting down.

Also added to 2.2.0 changelog.