User names embedded in proxy URLs without a password were parsed

incorrectly--the host name is treated as part of the user name and the port number becomes the password. This can be observed in test 279 (was KNOWN_ISSUE #54).
2008-08-01 02:09:08 +00:00 · 2008-08-01 02:09:08 +00:00 · 9251dd7b24
commit 9251dd7b24
parent 3615063fbc
5 changed files with 10 additions and 7 deletions
--- a/5
+++ b/5
@ -15,6 +15,11 @@ Daniel Fandrich (31 Jul 2008)
  being mangled when passed to proxies when CURLOPT_PORT is also set
  (reported by Pramod Sharma).

+- User names embedded in proxy URLs without a password were parsed
+  incorrectly--the host name is treated as part of the user name and the
+  port number becomes the password.  This can be observed in test 279
+  (was KNOWN_ISSUE #54).
+
 Daniel Stenberg (30 Jul 2008)
 - Phil Blundell added the CURLOPT_SCOPE option, as well as adjusted the URL
  parser to allow numerical IPv6-addresses to be specified with the scope
--- a/1
+++ b/1
@ -41,6 +41,7 @@ This release includes the following bugfixes:
 o --use-ascii now works on Symbian OS, MS-DOS and OS/2
 o CURLINFO_SSL_VERIFYRESULT is fixed
 o FTP URLs and IPv6 URLs mangled when sent to proxy with CURLOPT_PORT set
+ o a user name in a proxy URL without a password was parsed incorrectly

 This release includes the following known bugs:

--- a/docs/KNOWN_BUGS
+++ b/docs/KNOWN_BUGS
@ -14,10 +14,6 @@ may have been fixed since this was written!
  library header files exporting symbols/macros that should be kept private
  to the KfW library. See ticket #5601 at http://krbdev.mit.edu/rt/

-54. User names embedded in URLs without a password are parsed incorrectly--the
-  host name is treated as part of the user name and the port number becomes the
-  password.  This can be observed test 279.
-
 53. SFTP busy-loop problem. When doing SFTP uploads, we can see that libcurl
  occasionally will busy-loop while waiting for certain network conditions.
  Reported by Pavel Shalagin, explained somewhat by Daniel Stenberg here:
--- a/lib/url.c
+++ b/lib/url.c
@ -3396,7 +3396,7 @@ static CURLcode parse_proxy(struct SessionHandle *data,
    proxypasswd[0] = 0;

    if(1 <= sscanf(proxyptr,
-                   "%" MAX_CURL_USER_LENGTH_TXT"[^:]:"
+                   "%" MAX_CURL_USER_LENGTH_TXT"[^:@]:"
                   "%" MAX_CURL_PASSWORD_LENGTH_TXT "[^@]",
                   proxyuser, proxypasswd)) {
      CURLcode res = CURLE_OK;
--- a/tests/data/test279
+++ b/tests/data/test279
@ -7,6 +7,7 @@ HTTP proxy
 HTTP proxy Basic auth
 </keywords>
 </info>
+
 # Server-side
 <reply>
 <data>
@ -28,7 +29,7 @@ http
 HTTP with proxy string including http:// and user only
 </name>
 <command>
-http://we.want.that.site.com/279 -x http://f%61ke@%HOSTIP:%HTTPPORT
+http://we.want.that.site.com/279 -x http://f%61ke@%HOSTIP:%HTTPPORT
 </command>
 </client>

@ -39,7 +40,7 @@ http://we.want.that.site.com/279 -x http://f%61ke@%HOSTIP:%HTTPPORT
 </strip>
 <protocol>
 GET http://we.want.that.site.com/279 HTTP/1.1
-Proxy-Authorization: Basic ZmFrZUAxMjcuMC4wLjE6ODk5MA0=
+Proxy-Authorization: Basic ZmFrZTo=
 Host: we.want.that.site.com
 Pragma: no-cache
 Accept: */*