Emmanuel Tychon found a problem when specifying user-name only in a URL

(and the password entered interactively). This fix also includes proper URL-decoding of the user name and password if specified in the URL.
2000-11-06 08:12:30 +00:00 · 2000-11-06 08:12:30 +00:00 · b6bb734215
parent e7736324b4
commit b6bb734215
1 changed files with 20 additions and 1 deletions
--- a/lib/url.c
+++ b/lib/url.c
@ -109,6 +109,7 @@
 #include "progress.h"
 #include "cookie.h"
 #include "strequal.h"
+#include "escape.h"

 /* And now for the protocols */
 #include "ftp.h"
@ -1129,17 +1130,35 @@ CURLcode curl_connect(CURL *curl, CURLconnect **in_connect)

      if(*conn->name != ':') {
        /* the name is given, get user+password */
-        sscanf(conn->name, "%127[^:]:%127[^@]",
+        sscanf(conn->name, "%127[^:@]:%127[^@]",
               data->user, data->passwd);
      }
      else
        /* no name given, get the password only */
        sscanf(conn->name+1, "%127[^@]", data->passwd);

+      if(data->user[0]) {
+        char *newname=curl_unescape(data->user, 0);
+        if(strlen(newname) < sizeof(data->user)) {
+          strcpy(data->user, newname);
+        }
+        /* if the new name is longer than accepted, then just use
+           the unconverted name, it'll be wrong but what the heck */
+        free(newname);
+      }
+
      /* check for password, if no ask for one */
      if( !data->passwd[0] ) {
        my_getpass("password:",data->passwd,sizeof(data->passwd));
      }
+      else {
+        /* we have a password found in the URL, decode it! */
+        char *newpasswd=curl_unescape(data->passwd, 0);
+        if(strlen(newpasswd) < sizeof(data->passwd)) {
+          strcpy(data->passwd, newpasswd);
+        }
+        free(newpasswd);
+      }

      conn->name = ++ptr;
      data->bits.user_passwd=1; /* enable user+password */