Description:
You can still use the dashboard after initial installation to change the agent password
to something like '@gent' and cause errors;

2008-06-04 07:44:45: (critical)
curl_easy_perform('http://agent:@gent@127.0.0.1:18080/merlin/heartbeat') failed: Couldn't
resolve host 'gent@127.0.0.1' (code = 6, os-errno = 0)

Similar to bug 26044

How to repeat:
Set the agent password to connect to the dashboard to @gent.

Suggested fix:
Do not allow the use of @ in the password change dialog, or document the inability to
handle this.

Could you please expand on the steps to reproduce this?
When I URL-encode the @ in the agent configuration file it works as expected.

Thanks

If you change the password post installation, you then need to update the config file
manually.
It is not mentioned in the interface that the password has to be urlencoded, nor does it
do it for you so you can paste this into the configuration file.

That is -
 - Install setting password to 'bob'
 - update password using dashboard to '@agent'
 - update config file manually as customer would
 - error as it is not urlencoded.

Could be mentioned in the interface that this is a requirement if a char is in the pw
that requires it at least. Its also not documented from what I can tell.

Let's take Adam's suggested fix for now: disallow special characters in Dashboard's
Settings/Manage Users password handling. Later, we can remove this limitation once we've
addressed the issue on the agent side.

QA: after this bug is verified, assign to Documentation.
Doc: after documenting, change to "to be fixed later" :)

FFR, the list of reserved chars to be escaped: 
http://en.wikipedia.org/wiki/Percent-encoding#Types_of_URI_characters

revno: 6214
revision-id: jsled@asynchronous.org-20080819232207-ehwdausx2euoprbj
parent: jsled@asynchronous.org-20080819232117-ezckkom6lgly569l
committer: Josh Sled <jsled@asynchronous.org>
branch nick: local
timestamp: Tue 2008-08-19 19:22:07 -0400
message:
  Bug#37172: test the agent password string for the presence of "[url] reserved"
characters, and disallow.  This solution is lame.
modified:
  src/com/mysql/merlin/ui/actions/settings/users/EditUser.java
5804@3c33494c-61f7-0310-86b9-b90697347e9d:trunk;1cbac073fe1d3e0d86211da53921520e8caac861
  src/com/mysql/merlin/ui/helper/ErrorCodeMapping.java
errorcodemapping.jav-20080430171212-8vqab07r9l00h4d5-1
  src/resources_en.utf8          resources_en.utf8-20080717185917-kfpwvs7kmp2mb04b-1
  src/resources_ja.utf8          resources_ja.utf8-20080204194215-rjksjbd0fp3oy4sa-1
  test/com/mysql/merlin/ui/actions/settings/users/EditUserTest.java
7159@3c33494c-61f7-0310-86b9-b90697347e9d:trunk;2f58bd6fc03dfd73a79714a19c8b9771561c82cc

(Note action unit test)

An entry was added to the features/changes section of the 2.0 changelog: 

The dashboard could be used to change the agent password to one containing the @
character, or other special characters, which subsequently caused errors. To fix this
problem, special characters in passwords are now prevented by the dashboard. The list of
disallowed special characters can be found at the following location:
http://en.wikipedia.org/wiki/Percent-encoding#Types_of_URI_characters

Michael Schuster writes: 
revno: 1499
committer: michael.schuster@sun.com
branch nick: trunk
timestamp: Tue 2009-10-20 02:15:44 -0700
message:
  EM-2663

Keith Russell writes: 
Patch installed in versions => 2.2.0.1516.

Marcos Palacios writes: 
Tested with service manager build 2.2.0.1517 and agent build 2.2.0.1516.

Test cases are as indicated in "1)" above [see 19/Oct/09 11:27 PM comment]:

Case 1:
agent-mgmt-hostname=http://username@host:port/
agent-mgmt-password=passwd
Result: *Fail*
The agent cannot connect and its log has the following messages:
2009-10-23 12:16:05: (critical) authentication information in agent-mgmt-hostname will be
overridden by agent-mgmt-password
2009-10-23 12:16:05: (critical) <-- received HTTP-status: 401 (failed) for
'http://agent@127.0.0.1:18080/heartbeat': authentication credentials incorrect

Case 2:
agent-mgmt-hostname=http://user:pass@host:port/
Result: *Pass*
The agent connects as before; no new log messages.

Case 3:
agent-mgmt-hostname=http://host:port/
agent-mgmt-username=user
agent-mgmt-password=passwd
Result: *Pass*
The agent connects as before; no new log messages.

Case 4:
agent-mgmt-hostname=http://olduser:oldpass@host:port/
agent-mgmt-username=user
agent-mgmt-password=passwd
Result: *Pass*
The agent connects and its log now issues the following message:
2009-10-23 11:37:31: (critical) authentication information in agent-mgmt-hostname will be
overridden by agent-mgmt-username

Note:
It still remains to be tested (not in this build yet) the reversal of the limitation in
the MEM UI which does not allow special chars in the user password.

Josh Sled writes: 
revno: 7587
revision-id: jsled@asynchronous.org-20091023194933-2j4hhqe0vw0e64x1
parent: jsled@asynchronous.org-20091023183944-69jz60a5hims81l6
committer: Josh Sled <jsled@asynchronous.org>
branch nick: local
timestamp: Fri 2009-10-23 15:49:33 -0400
message:
  EM-3524, EM-2663 related: no longer filter "reserved" agent password characters.

Marcos Palacios writes: 
Verified that as of build 2.2.0.1518, the MEM UI no longer filters "reserved" (special)
agent password characters.

Andy Bang writes: 
Seems to be related to Bug #48219 - MEM upgrader does not escape special characters.

Michael Schuster writes: 
I think I was overoptimistic when I wrote my initial comment about "behaviour". as it
turns out one cannot mix and match "old" and "new" styles, curl will remove anything
before and including the "@" in agent-mgmt-hostname if either -username or -password are
present. For completeness sake, here are the valid combinations (a limited quote from
that same comment):

agent-mgmt-hostname=http://user:pass@host:port/

and

agent-mgmt-hostname=http://host:port/
agent-mgmt-username=user
agent-mgmt-password=passwd

are all valid combinations.

if used like this:

agent-mgmt-hostname=http://olduser:oldpass@host:port/
agent-mgmt-username=user
agent-mgmt-password=passwd

olduser and oldpass will be ignored.

Michael Schuster writes: 
no new code, just changed allowed modes

Michael Schuster writes: 
Alas, the situation with "mixed mode" is not as clear-cut as we'd like; if we use libcurl
versions older than 7.19.01, we are restricted to either 

    agent-mgmt-hostname=http://user:pass@host:port/
or
    agent-mgmt-hostname=http://host:port/
    agent-mgmt-username=user
    agent-mgmt-password=passwd

newer versions though *do* accept constructs like

    agent-mgmt-hostname=http://username@host:port/
    agent-mgmt-password=passwd
or
    agent-mgmt-hostname=http://:pass@host:port/
    agent-mgmt-username=user

This is due to the introduction of curl options CURLOPT_USERNAME and CURLOPT_PASSWORD,
which made the more liberal handling possible. Before that, CURLOPT_USERPWD was the only
way to set username/password information, and this option exhibits an all-or-nothing
approach: when it's used, anything before the @ in the URL is ignored.

Note that the newer version needs to be present at compile- *and* at run-time to get the
new behaviour.

Keith Russell writes: 
Patch installed in versions => 2.2.0.1538.

Marcos Palacios writes: 
Verified fixed in agent build 2.2.0.1538.

Notice (as explained in the latest comment from Dev) that "mixed mode" is not supported.

Marcos Palacios writes: 
Notice that if used like this:

agent-mgmt-hostname=http://olduser:oldpass@host:port/
agent-mgmt-username=user
agent-mgmt-password=passwd

You get the following error message:
2009-11-16 16:55:47: (critical) no authentication information allowed in
agent-mgmt-hostname if agent-mgmt-username and agent-mgmt-password are given
2009-11-16 16:55:47: (critical) chassis.c:894: Failure from chassis_mainloop. Shutting
down.

Also added to 2.2.0 changelog.