Overview

File 1055-httpc-Fix-percent-encoding-of-userinfo-in-URLs.patch of Package erlang

From a0a2b376cad40dffde391b1a2f2b3561b1e46d54 Mon Sep 17 00:00:00 2001
From: Siim Liiser <siim.liiser@glia.com>
Date: Thu, 13 Jun 2024 15:08:16 +0300
Subject: [PATCH] httpc: Fix percent-encoding of userinfo in URLs

According to RFC3986 section-3.2.1, the valid characters for the
userinfo component are as follows:

  userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )

This does not include the "@" character, which must be percent-encoded
when it appears in the userinfo component of a URL.

The Basic authentication scheme, as defined in RFC7617, does not
restrict the use of any characters except for the colon (":") character
in the user id. The colon should not be percent-encoded, it is just not
a valid part of the user id.

When the userinfo component from the URL is converted into a Basic
Authorization header, then the string is correctly validated, but is not
decoded. This means that the percent-encoded characters end up in the
Authorization header, which the servers are expected to interpet
literally and not as percent-encoded. This results in user ids and
passwords containing reserved characters to be misinterpreted by servers
and rejected.

This commit ensures that the userinfo component is properly decoded
before being used in the Basic Authorization header.
---
 lib/inets/src/http_client/httpc_request.erl | 6 ++++--
 lib/inets/test/httpc_SUITE.erl              | 6 +++---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/inets/src/http_client/httpc_request.erl b/lib/inets/src/http_client/httpc_request.erl
index a052dc2d2e..fc48adec44 100644
--- a/lib/inets/src/http_client/httpc_request.erl
+++ b/lib/inets/src/http_client/httpc_request.erl
@@ -284,10 +284,12 @@ handle_user_info([], Headers) ->
 handle_user_info(UserInfo, Headers) ->
     case string:tokens(UserInfo, ":") of
 	[User, Passwd] ->
-	    UserPasswd = base64:encode_to_string(User ++ ":" ++ Passwd),
+	    UserPasswd = base64:encode_to_string(
+	        uri_string:percent_decode(User) ++ ":" ++ uri_string:percent_decode(Passwd)
+	    ),
 	    Headers#http_request_h{authorization = "Basic " ++ UserPasswd};
 	[User] ->
-	    UserPasswd = base64:encode_to_string(User ++ ":"),
+	    UserPasswd = base64:encode_to_string(uri_string:percent_decode(User) ++ ":"),
 	    Headers#http_request_h{authorization = "Basic " ++ UserPasswd}; 
 	_ ->
 	    Headers
-- 
2.35.3
openSUSE Build Service is sponsored by
Places