httpc: Fix percent-encoding of userinfo in URLs #8575
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
According to RFC3986 section-3.2.1, the valid characters for the
userinfo component are as follows:
userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
This does not include the "@" character, which must be percent-encoded
when it appears in the userinfo component of a URL.
The Basic authentication scheme, as defined in RFC7617, does not
restrict the use of any characters except for the colon (":") character
in the user id. The colon should not be percent-encoded, it is just not
a valid part of the user id.
When the userinfo component from the URL is converted into a Basic
Authorization header, then the string is correctly validated, but is not
decoded. This means that the percent-encoded characters end up in the
Authorization header, which the servers are expected to interpet
literally and not as percent-encoded. This results in user ids and
passwords containing reserved characters to be misinterpreted by servers
and rejected.
This commit ensures that the userinfo component is properly decoded
before being used in the Basic Authorization header.
|
|
CT Test Results 2 files 22 suites 10m 22s ⏱️ Results for commit a0a2b37. ♻️ This comment has been updated with latest results. To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass. See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally. Artifacts// Erlang/OTP Github Action Bot |
Whaileee
added
the
testing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
According to RFC3986 section-3.2.1, the valid characters for the userinfo component are as follows:
userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
This does not include the "@" character, which must be percent-encoded when it appears in the userinfo component of a URL.
The Basic authentication scheme, as defined in RFC7617, does not restrict the use of any characters except for the colon (":") character in the user id. The colon should not be percent-encoded, it is just not a valid part of the user id.
When the userinfo component from the URL is converted into a Basic Authorization header, then the string is correctly validated, but is not decoded. This means that the percent-encoded characters end up in the Authorization header, which the servers are expected to interpet literally and not as percent-encoded. This results in user ids and passwords containing reserved characters to be misinterpreted by servers and rejected.
This commit ensures that the userinfo component is properly decoded before being used in the Basic Authorization header.