From 436d7eab92bb8f9cc6498acfbf2055e717be6fd0 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Wed, 31 Mar 2010 17:19:10 +0200 Subject: [PATCH] Userinfo is urlencoded in URIs (RFC 3986) Thanks to Jean-Baptiste Lallement for spotting and fixing it! * apt-pkg/contrib/strutl.cc: - always escape '%' (LP: #130289) (Closes: #500560) - unescape '%' sequence only if followed by 2 hex digit - username/password are urlencoded in proxy string (RFC 3986) --- apt-pkg/contrib/strutl.cc | 21 +++++++++++++++------ apt-pkg/contrib/strutl.h | 1 + debian/changelog | 6 ++++++ 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/apt-pkg/contrib/strutl.cc b/apt-pkg/contrib/strutl.cc index 7eb986ac0..c7d63ce8a 100644 --- a/apt-pkg/contrib/strutl.cc +++ b/apt-pkg/contrib/strutl.cc @@ -198,7 +198,8 @@ bool ParseQuoteWord(const char *&String,string &Res) char *I; for (I = Buffer; I < Buffer + sizeof(Buffer) && Start != C; I++) { - if (*Start == '%' && Start + 2 < C) + if (*Start == '%' && Start + 2 < C && + isxdigit(Start[1]) && isxdigit(Start[2])) { Tmp[0] = Start[1]; Tmp[1] = Start[2]; @@ -273,7 +274,8 @@ string QuoteString(const string &Str, const char *Bad) for (string::const_iterator I = Str.begin(); I != Str.end(); I++) { if (strchr(Bad,*I) != 0 || isprint(*I) == 0 || - *I <= 0x20 || *I >= 0x7F) + *I == 0x25 || // percent '%' char + *I <= 0x20 || *I >= 0x7F) // control chars { char Buf[10]; sprintf(Buf,"%%%02x",(int)*I); @@ -289,11 +291,17 @@ string QuoteString(const string &Str, const char *Bad) // --------------------------------------------------------------------- /* This undoes QuoteString */ string DeQuoteString(const string &Str) +{ + return DeQuoteString(Str.begin(),Str.end()); +} +string DeQuoteString(string::const_iterator const &begin, + string::const_iterator const &end) { string Res; - for (string::const_iterator I = Str.begin(); I != Str.end(); I++) + for (string::const_iterator I = begin; I != end; I++) { - if (*I == '%' && I + 2 < Str.end()) + if (*I == '%' && I + 2 < end && + isxdigit(I[1]) && isxdigit(I[2])) { char Tmp[3]; Tmp[0] = I[1]; @@ -1238,9 +1246,10 @@ void URI::CopyFrom(const string &U) else { Host.assign(At+1,SingleSlash); - User.assign(FirstColon,SecondColon); + // username and password must be encoded (RFC 3986) + User.assign(DeQuoteString(FirstColon,SecondColon)); if (SecondColon < At) - Password.assign(SecondColon+1,At); + Password.assign(DeQuoteString(SecondColon+1,At)); } // Now we parse the RFC 2732 [] hostnames. diff --git a/apt-pkg/contrib/strutl.h b/apt-pkg/contrib/strutl.h index d8070d3f5..e509145f9 100644 --- a/apt-pkg/contrib/strutl.h +++ b/apt-pkg/contrib/strutl.h @@ -38,6 +38,7 @@ bool ParseQuoteWord(const char *&String,string &Res); bool ParseCWord(const char *&String,string &Res); string QuoteString(const string &Str,const char *Bad); string DeQuoteString(const string &Str); +string DeQuoteString(string::const_iterator const &begin, string::const_iterator const &end); string SizeToStr(double Bytes); string TimeToStr(unsigned long Sec); string Base64Encode(const string &Str); diff --git a/debian/changelog b/debian/changelog index 61a4dc618..205db85e0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -64,6 +64,12 @@ apt (0.7.26) UNRELEASED; urgency=low * apt-pkg/contrib/strutl.cc: - convert all toupper calls to tolower_ascii for a little speedup + [ Jean-Baptiste Lallement ] + * apt-pkg/contrib/strutl.cc: + - always escape '%' (LP: #130289) (Closes: #500560) + - unescape '%' sequence only if followed by 2 hex digit + - username/password are urlencoded in proxy string (RFC 3986) + [ Julian Andres Klode ] * cmdline/apt-mark: - Use the new python-apt API (and conflict with python-apt << 0.7.93.2). -- 2.45.2