Browse Source

Userinfo is urlencoded in URIs (RFC 3986)

Thanks to Jean-Baptiste Lallement for spotting and fixing it!

* apt-pkg/contrib/strutl.cc:
  - always escape '%' (LP: #130289) (Closes: #500560)
  - unescape '%' sequence only if followed by 2 hex digit
  - username/password are urlencoded in proxy string (RFC 3986)
debian/1.8.y
David Kalnischkies 12 years ago
parent
commit
436d7eab92
  1. 21
      apt-pkg/contrib/strutl.cc
  2. 1
      apt-pkg/contrib/strutl.h
  3. 6
      debian/changelog

21
apt-pkg/contrib/strutl.cc

@ -198,7 +198,8 @@ bool ParseQuoteWord(const char *&String,string &Res)
char *I;
for (I = Buffer; I < Buffer + sizeof(Buffer) && Start != C; I++)
{
if (*Start == '%' && Start + 2 < C)
if (*Start == '%' && Start + 2 < C &&
isxdigit(Start[1]) && isxdigit(Start[2]))
{
Tmp[0] = Start[1];
Tmp[1] = Start[2];
@ -273,7 +274,8 @@ string QuoteString(const string &Str, const char *Bad)
for (string::const_iterator I = Str.begin(); I != Str.end(); I++)
{
if (strchr(Bad,*I) != 0 || isprint(*I) == 0 ||
*I <= 0x20 || *I >= 0x7F)
*I == 0x25 || // percent '%' char
*I <= 0x20 || *I >= 0x7F) // control chars
{
char Buf[10];
sprintf(Buf,"%%%02x",(int)*I);
@ -289,11 +291,17 @@ string QuoteString(const string &Str, const char *Bad)
// ---------------------------------------------------------------------
/* This undoes QuoteString */
string DeQuoteString(const string &Str)
{
return DeQuoteString(Str.begin(),Str.end());
}
string DeQuoteString(string::const_iterator const &begin,
string::const_iterator const &end)
{
string Res;
for (string::const_iterator I = Str.begin(); I != Str.end(); I++)
for (string::const_iterator I = begin; I != end; I++)
{
if (*I == '%' && I + 2 < Str.end())
if (*I == '%' && I + 2 < end &&
isxdigit(I[1]) && isxdigit(I[2]))
{
char Tmp[3];
Tmp[0] = I[1];
@ -1238,9 +1246,10 @@ void URI::CopyFrom(const string &U)
else
{
Host.assign(At+1,SingleSlash);
User.assign(FirstColon,SecondColon);
// username and password must be encoded (RFC 3986)
User.assign(DeQuoteString(FirstColon,SecondColon));
if (SecondColon < At)
Password.assign(SecondColon+1,At);
Password.assign(DeQuoteString(SecondColon+1,At));
}
// Now we parse the RFC 2732 [] hostnames.

1
apt-pkg/contrib/strutl.h

@ -38,6 +38,7 @@ bool ParseQuoteWord(const char *&String,string &Res);
bool ParseCWord(const char *&String,string &Res);
string QuoteString(const string &Str,const char *Bad);
string DeQuoteString(const string &Str);
string DeQuoteString(string::const_iterator const &begin, string::const_iterator const &end);
string SizeToStr(double Bytes);
string TimeToStr(unsigned long Sec);
string Base64Encode(const string &Str);

6
debian/changelog

@ -64,6 +64,12 @@ apt (0.7.26) UNRELEASED; urgency=low
* apt-pkg/contrib/strutl.cc:
- convert all toupper calls to tolower_ascii for a little speedup
[ Jean-Baptiste Lallement ]
* apt-pkg/contrib/strutl.cc:
- always escape '%' (LP: #130289) (Closes: #500560)
- unescape '%' sequence only if followed by 2 hex digit
- username/password are urlencoded in proxy string (RFC 3986)
[ Julian Andres Klode ]
* cmdline/apt-mark:
- Use the new python-apt API (and conflict with python-apt << 0.7.93.2).

Loading…
Cancel
Save