Userinfo is urlencoded in URIs (RFC 3986)

Thanks to Jean-Baptiste Lallement for spotting and fixing it!

* apt-pkg/contrib/strutl.cc:
  - always escape '%' (LP: #130289) (Closes: #500560)
  - unescape '%' sequence only if followed by 2 hex digit
  - username/password are urlencoded in proxy string (RFC 3986)

diff --git a/apt-pkg/contrib/strutl.cc b/apt-pkg/contrib/strutl.cc
index 7eb986ac0f4bc5a0a33e321a71c8f46e33ce9fe3..c7d63ce8a58f069e55e05f920b5c003d9519f127 100644 (file)
--- a/apt-pkg/contrib/strutl.cc
+++ b/apt-pkg/contrib/strutl.cc
@@ -198,7 +198,8 @@ bool ParseQuoteWord(const char *&String,string &Res)
    char *I;
    for (I = Buffer; I < Buffer + sizeof(Buffer) && Start != C; I++)
    {
-      if (*Start == '%' && Start + 2 < C)
+      if (*Start == '%' && Start + 2 < C &&
+         isxdigit(Start[1]) && isxdigit(Start[2]))
       {
         Tmp[0] = Start[1];
         Tmp[1] = Start[2];
@@ -273,7 +274,8 @@ string QuoteString(const string &Str, const char *Bad)
    for (string::const_iterator I = Str.begin(); I != Str.end(); I++)
    {
       if (strchr(Bad,*I) != 0 || isprint(*I) == 0 || 
-         *I <= 0x20 || *I >= 0x7F)
+         *I == 0x25 || // percent '%' char
+         *I <= 0x20 || *I >= 0x7F) // control chars
       {
         char Buf[10];
         sprintf(Buf,"%%%02x",(int)*I);
@@ -289,11 +291,17 @@ string QuoteString(const string &Str, const char *Bad)
 // ---------------------------------------------------------------------
 /* This undoes QuoteString */
 string DeQuoteString(const string &Str)
+{
+   return DeQuoteString(Str.begin(),Str.end());
+}
+string DeQuoteString(string::const_iterator const &begin,
+                       string::const_iterator const &end)
 {
    string Res;
-   for (string::const_iterator I = Str.begin(); I != Str.end(); I++)
+   for (string::const_iterator I = begin; I != end; I++)
    {
-      if (*I == '%' && I + 2 < Str.end())
+      if (*I == '%' && I + 2 < end &&
+         isxdigit(I[1]) && isxdigit(I[2]))
       {
         char Tmp[3];
         Tmp[0] = I[1];
@@ -1238,9 +1246,10 @@ void URI::CopyFrom(const string &U)
    else
    {
       Host.assign(At+1,SingleSlash);
-      User.assign(FirstColon,SecondColon);
+      // username and password must be encoded (RFC 3986)
+      User.assign(DeQuoteString(FirstColon,SecondColon));
       if (SecondColon < At)
-        Password.assign(SecondColon+1,At);
+        Password.assign(DeQuoteString(SecondColon+1,At));
    }   
    
    // Now we parse the RFC 2732 [] hostnames.

diff --git a/apt-pkg/contrib/strutl.h b/apt-pkg/contrib/strutl.h
index d8070d3f597bb15df57d7f6de508831cf86b3b55..e509145f9d9f2d2cf86dc901c00e7fa094e6183f 100644 (file)
--- a/apt-pkg/contrib/strutl.h
+++ b/apt-pkg/contrib/strutl.h
@@ -38,6 +38,7 @@ bool ParseQuoteWord(const char *&String,string &Res);
 bool ParseCWord(const char *&String,string &Res);
 string QuoteString(const string &Str,const char *Bad);
 string DeQuoteString(const string &Str);
+string DeQuoteString(string::const_iterator const &begin, string::const_iterator const &end);
 string SizeToStr(double Bytes);
 string TimeToStr(unsigned long Sec);
 string Base64Encode(const string &Str);

diff --git a/debian/changelog b/debian/changelog
index 61a4dc618d24953b385434f2b118fd8bd25b7c36..205db85e0d2574751b860f25d06ad26776f867e5 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -64,6 +64,12 @@ apt (0.7.26) UNRELEASED; urgency=low
   * apt-pkg/contrib/strutl.cc:
     - convert all toupper calls to tolower_ascii for a little speedup
 
+  [ Jean-Baptiste Lallement ]
+  * apt-pkg/contrib/strutl.cc:
+    - always escape '%' (LP: #130289) (Closes: #500560)
+    - unescape '%' sequence only if followed by 2 hex digit
+    - username/password are urlencoded in proxy string (RFC 3986)
+
   [ Julian Andres Klode ]
   * cmdline/apt-mark:
     - Use the new python-apt API (and conflict with python-apt << 0.7.93.2).