[fix] Use the last occurence of the at sign for userinfo

Correctly handle usernames and passwords containing the at sign (@).
unshiftio · Jan 8, 2022 · cb7fecb · cb7fecb
1 parent 82c4908
commit cb7fecb
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 3 deletions.
diff --git a/index.js b/index.js
@@ -304,7 +304,11 @@ function Url(address, location, parser) {
     if (parse !== parse) {
       url[key] = address;
     } else if ('string' === typeof parse) {
-      if (~(index = address.indexOf(parse))) {
+      index = parse === '@'
+        ? address.lastIndexOf(parse)
+        : address.indexOf(parse);
+
+      if (~index) {
         if ('number' === typeof instruction[2]) {
           url[key] = address.slice(0, index);
           address = address.slice(index + instruction[2]);
@@ -372,8 +376,13 @@ function Url(address, location, parser) {
   url.username = url.password = '';
   if (url.auth) {
     instruction = url.auth.split(':');
-    url.username = instruction[0];
-    url.password = instruction[1] || '';
+    url.username = instruction[0]
+      ? encodeURIComponent(decodeURIComponent(instruction[0]))
+      : '';
+    url.password = instruction[1]
+      ? encodeURIComponent(decodeURIComponent(instruction[1]))
+      : '';
+    url.auth = instruction.join(':');
   }
 
   url.origin = url.protocol !== 'file:' && isSpecial(url.protocol) && url.host

diff --git a/test/test.js b/test/test.js
@@ -689,6 +689,50 @@ describe('url-parse', function () {
       assume(parsed.hostname).equals('www.example.com');
       assume(parsed.href).equals(url);
     });
+
+    it('handles @ in username', function () {
+      var url = 'http://user@@www.example.com/'
+        , parsed = parse(url);
+
+      assume(parsed.protocol).equals('http:');
+      assume(parsed.username).equals('user%40');
+      assume(parsed.password).equals('');
+      assume(parsed.hostname).equals('www.example.com');
+      assume(parsed.pathname).equals('/');
+      assume(parsed.href).equals('http://user%40@www.example.com/');
+
+      url = 'http://user%40@www.example.com/';
+      parsed = parse(url);
+
+      assume(parsed.protocol).equals('http:');
+      assume(parsed.username).equals('user%40');
+      assume(parsed.password).equals('');
+      assume(parsed.hostname).equals('www.example.com');
+      assume(parsed.pathname).equals('/');
+      assume(parsed.href).equals('http://user%40@www.example.com/');
+    });
+
+    it('handles @ in password', function () {
+      var url = 'http://user@:pass@@www.example.com/'
+        , parsed = parse(url);
+
+      assume(parsed.protocol).equals('http:');
+      assume(parsed.username).equals('user%40');
+      assume(parsed.password).equals('pass%40');
+      assume(parsed.hostname).equals('www.example.com');
+      assume(parsed.pathname).equals('/');
+      assume(parsed.href).equals('http://user%40:pass%40@www.example.com/');
+
+      url = 'http://user%40:pass%40@www.example.com/'
+      parsed = parse(url);
+
+      assume(parsed.protocol).equals('http:');
+      assume(parsed.username).equals('user%40');
+      assume(parsed.password).equals('pass%40');
+      assume(parsed.hostname).equals('www.example.com');
+      assume(parsed.pathname).equals('/');
+      assume(parsed.href).equals('http://user%40:pass%40@www.example.com/');
+    });
   });
 
   it('accepts multiple ???', function () {