[fix] Correctly handle userinfo containing the at sign

unshiftio · Jan 8, 2022 · 2fac434 · 2fac434
1 parent 82c4908
commit 2fac434
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 5 deletions.
diff --git a/index.js b/index.js
@@ -304,7 +304,11 @@ function Url(address, location, parser) {
     if (parse !== parse) {
       url[key] = address;
     } else if ('string' === typeof parse) {
-      if (~(index = address.indexOf(parse))) {
+      index = parse === '@'
+        ? address.lastIndexOf(parse)
+        : address.indexOf(parse);
+
+      if (~index) {
         if ('number' === typeof instruction[2]) {
           url[key] = address.slice(0, index);
           address = address.slice(index + instruction[2]);
@@ -370,10 +374,17 @@ function Url(address, location, parser) {
   // Parse down the `auth` for the username and password.
   //
   url.username = url.password = '';
+
   if (url.auth) {
     instruction = url.auth.split(':');
-    url.username = instruction[0];
-    url.password = instruction[1] || '';
+
+    url.username = encodeURIComponent(decodeURIComponent(instruction[0]));
+
+    if (instruction.length === 2) {
+      url.password = encodeURIComponent(decodeURIComponent(instruction[1]));
+    }
+
+    url.auth = url.password ? url.username +':'+ url.password : url.username;
   }
 
   url.origin = url.protocol !== 'file:' && isSpecial(url.protocol) && url.host
@@ -466,8 +477,10 @@ function set(part, value, fn) {
 
     case 'auth':
       var splits = value.split(':');
-      url.username = splits[0];
-      url.password = splits.length === 2 ? splits[1] : '';
+      url.username = encodeURIComponent(decodeURIComponent(splits[0]));
+      url.password = splits.length === 2
+        ? encodeURIComponent(decodeURIComponent(splits[1]))
+        : '';
   }
 
   for (var i = 0; i < rules.length; i++) {

diff --git a/test/test.js b/test/test.js
@@ -689,6 +689,54 @@ describe('url-parse', function () {
       assume(parsed.hostname).equals('www.example.com');
       assume(parsed.href).equals(url);
     });
+
+    it('handles @ in username', function () {
+      var url = 'http://user@@www.example.com/'
+        , parsed = parse(url);
+
+      assume(parsed.protocol).equals('http:');
+      assume(parsed.auth).equals('user%40');
+      assume(parsed.username).equals('user%40');
+      assume(parsed.password).equals('');
+      assume(parsed.hostname).equals('www.example.com');
+      assume(parsed.pathname).equals('/');
+      assume(parsed.href).equals('http://user%40@www.example.com/');
+
+      url = 'http://user%40@www.example.com/';
+      parsed = parse(url);
+
+      assume(parsed.protocol).equals('http:');
+      assume(parsed.auth).equals('user%40');
+      assume(parsed.username).equals('user%40');
+      assume(parsed.password).equals('');
+      assume(parsed.hostname).equals('www.example.com');
+      assume(parsed.pathname).equals('/');
+      assume(parsed.href).equals('http://user%40@www.example.com/');
+    });
+
+    it('handles @ in password', function () {
+      var url = 'http://user@:pass@@www.example.com/'
+        , parsed = parse(url);
+
+      assume(parsed.protocol).equals('http:');
+      assume(parsed.auth).equals('user%40:pass%40');
+      assume(parsed.username).equals('user%40');
+      assume(parsed.password).equals('pass%40');
+      assume(parsed.hostname).equals('www.example.com');
+      assume(parsed.pathname).equals('/');
+      assume(parsed.href).equals('http://user%40:pass%40@www.example.com/');
+
+      url = 'http://user%40:pass%40@www.example.com/'
+      parsed = parse(url);
+
+      assume(parsed.protocol).equals('http:');
+      assume(parsed.auth).equals('user%40:pass%40');
+      assume(parsed.username).equals('user%40');
+      assume(parsed.password).equals('pass%40');
+      assume(parsed.hostname).equals('www.example.com');
+      assume(parsed.pathname).equals('/');
+      assume(parsed.href).equals('http://user%40:pass%40@www.example.com/');
+    });
   });
 
   it('accepts multiple ???', function () {
@@ -1124,6 +1172,16 @@ describe('url-parse', function () {
       assume(data.username).equals('');
       assume(data.password).equals('quux');
       assume(data.href).equals('https://:quux@example.com/');
+
+      assume(data.set('auth', 'user@:pass@')).equals(data);
+      assume(data.username).equals('user%40');
+      assume(data.password).equals('pass%40');
+      assume(data.href).equals('https://user%40:pass%40@example.com/');
+
+      assume(data.set('auth', 'user%40:pass%40')).equals(data);
+      assume(data.username).equals('user%40');
+      assume(data.password).equals('pass%40');
+      assume(data.href).equals('https://user%40:pass%40@example.com/');
     });
 
     it('updates other values', function () {