Eric Vergnaud pointed out that libcurl didn't treat ?-letters in the user name

and password fields properly in URLs, like ftp://us?er:pass?word@site.com/. Added test 191 to verify the fix.
2004-10-14 13:44:54 +00:00 · 2004-10-14 13:44:54 +00:00 · e8f85cba0f
parent 1aba99b1e7
commit e8f85cba0f
6 changed files with 67 additions and 11 deletions
--- a/5
+++ b/5
@ -6,6 +6,11 @@

                                  Changelog

+Daniel (14 October 2004)
+- Eric Vergnaud pointed out that libcurl didn't treat ?-letters in the user
+  name and password fields properly in URLs, like
+  ftp://us?er:pass?word@site.com/. Added test 191 to verify the fix.
+
 Daniel (11 October 2004)
 - libcurl now uses SO_NOSIGPIPE for systems that support it (Mac OS X 10.2 or
  later is one) to inhibit the SIGPIPE signal when writing to a socket while
--- a/5
+++ b/5
@ -21,6 +21,7 @@ This release includes the following changes:

 This release includes the following bugfixes:

+ o URLs with ?-letters in the user name or password fields
 o libcurl error message is now provided when send() fails
 o no more SIGPIPE on Mac OS X and other SO_NOSIGPIPE-supporting platforms
 o HTTP resume was refused if redirected
@ -61,6 +62,8 @@ Other curl-related news since the previous public release:
 o tclcurl version 0.12.1
   http://personal1.iddeo.es/andresgarci/tclcurl/english/
 o libcurl.NET was announce: http://www.seasideresearch.com/downloads.html
+ o Get your fresh Mozilla-extracted ca cert bundle here:
+   http://curl.haxx.se/docs/caextract.html

 This release would not have looked like this without help, code, reports and
 advice from friends like these:
@ -71,6 +74,6 @@ advice from friends like these:
 Jean-Claude Chauve, Dan Fandrich, Peter Sylvester, "Mekonikum", Jean-Philippe
 Barrette-LaPierre, Günter Knauf, Larry Campbell, Fedor Karpelevitch,
 Aleksandar Milivojevic, Gisle Vanem, Chris "Bob Bob", Chih-Chung Chang,
- Andy Cedilnik, Alan Pinstein
+ Andy Cedilnik, Alan Pinstein, Eric Vergnaud 

        Thanks! (and sorry if I forgot to mention someone)
--- a/2
+++ b/2
@ -5,8 +5,6 @@ To get fixed in 7.12.2 (planned release: mid October 2004)

 50 - threaded windows resolver problem reported by Traian Nicolescu

-51 - ?-letters in user name or password in ftp:// URLs
-
 To get fixed in 7.12.3 (planned release: December 2004)
 ======================

--- a/lib/url.c
+++ b/lib/url.c
@ -2175,6 +2175,7 @@ static CURLcode CreateConnection(struct SessionHandle *data,
                                 bool *async)
 {
  char *tmp;
+  char *at;
  CURLcode result=CURLE_OK;
  struct connectdata *conn;
  struct connectdata *conn_temp;
@ -2349,13 +2350,8 @@ static CURLcode CreateConnection(struct SessionHandle *data,
    /* Set default path */
    strcpy(conn->path, "/");

-    /* We need to search for '/' OR '?' - whichever comes first after host
-     * name but before the path. We need to change that to handle things like
-     * http://example.com?param= (notice the missing '/'). Later we'll insert
-     * that missing slash at the beginning of the path.
-     */
    if (2 > sscanf(data->change.url,
-                   "%15[^\n:]://%[^\n/?]%[^\n]",
+                   "%15[^\n:]://%[^\n/]%[^\n]",
                   conn->protostr,
                   conn->host.name, conn->path)) {

@ -2363,7 +2359,7 @@ static CURLcode CreateConnection(struct SessionHandle *data,
       * The URL was badly formatted, let's try the browser-style _without_
       * protocol specified like 'http://'.
       */
-      if((1 > sscanf(data->change.url, "%[^\n/?]%[^\n]",
+      if((1 > sscanf(data->change.url, "%[^\n/]%[^\n]",
                     conn->host.name, conn->path)) ) {
        /*
         * We couldn't even get this format.
@ -2404,6 +2400,27 @@ static CURLcode CreateConnection(struct SessionHandle *data,
    }
  }

+  /* We search for '?' in the host name (but only on the right side of a
+   * @-letter to allow ?-letters in username and password) to handle things
+   * like http://example.com?param= (notice the missing '/').
+   */
+  at = strchr(conn->host.name, '@');
+  if(at)
+    tmp = strchr(at+1, '?');
+  else
+    tmp = strchr(conn->host.name, '?');
+
+  if(tmp) {
+    /* The right part of the ?-letter needs to be moved to prefix
+       the current path buffer! */
+    size_t len = strlen(tmp);
+    /* move the existing path plus the zero byte */
+    memmove(conn->path+len+1, conn->path, strlen(conn->path)+1);
+    conn->path[0]='/'; /* prepend the missing slash */
+    memcpy(conn->path+1, tmp, len); /* now copy the prefix part */
+    *tmp=0; /* now cut off the hostname at the ? */
+  }
+
  /* If the URL is malformatted (missing a '/' after hostname before path) we
   * insert a slash here. The only letter except '/' we accept to start a path
   * is '?'.
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@ -26,7 +26,7 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46	\
 test512 test165 test166 test167 test168 test169 test170 test171	\
 test172 test204 test205 test173 test174 test175 test176 test177	\
 test513 test514 test178 test179 test180 test181 test182 test183	\
- test184 test185 test186 test187 test188 test189
+ test184 test185 test186 test187 test188 test189 test191

 # The following tests have been removed from the dist since they no longer
 # work. We need to fix the test suite's FTPS server first, then bring them
--- a/tests/data/test191
+++ b/tests/data/test191
@ -0,0 +1,33 @@
+# Server-side
+<reply>
+<data>
+data in file
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+ <name>
+FTP URL with ?-letters in username and password 
+ </name>
+ <command>
+"ftp://use?r:pass?word@%HOSTIP:%FTPPORT/191"
+</command>
+</test>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+USER use?r
+PASS pass?word
+PWD
+EPSV
+TYPE I
+SIZE 191
+RETR 191
+QUIT
+</protocol>
+</verify>