-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passing username
from URL object to http.clientRequest without decoding
#31439
Labels
http
Issues or PRs related to the http subsystem.
Comments
addaleax
added
whatwg-url
Issues and PRs related to the WHATWG URL implementation.
http
Issues or PRs related to the http subsystem.
and removed
whatwg-url
Issues and PRs related to the WHATWG URL implementation.
labels
Jan 21, 2020
2 tasks
addaleax
added
whatwg-url
Issues and PRs related to the WHATWG URL implementation.
and removed
whatwg-url
Issues and PRs related to the WHATWG URL implementation.
labels
Jan 21, 2020
addaleax
added a commit
to addaleax/node
that referenced
this issue
Jan 21, 2020
3 tasks
2 tasks
The whatwg url impl is doing the right thing here. The issue is in the urlToOptions function |
lewgordon
pushed a commit
to lewgordon/node
that referenced
this issue
Jul 8, 2021
This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: nodejs#31439
lewgordon
pushed a commit
to lewgordon/node
that referenced
this issue
Jul 8, 2021
This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: nodejs#31439
lewgordon
pushed a commit
to lewgordon/node
that referenced
this issue
Jul 8, 2021
This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: nodejs#31439
lewgordon
pushed a commit
to lewgordon/node
that referenced
this issue
Jul 12, 2021
This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: nodejs#31439
lewgordon
pushed a commit
to lewgordon/node
that referenced
this issue
Jul 12, 2021
This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: nodejs#31439
lewgordon
pushed a commit
to lewgordon/node
that referenced
this issue
Jul 14, 2021
This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: nodejs#31439
lewgordon
pushed a commit
to lewgordon/node
that referenced
this issue
Jul 15, 2021
This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: nodejs#31439
andrei-cdl
added a commit
to compassdigital/basic-auth
that referenced
this issue
Aug 9, 2021
due to a bug in node.js some clients will end up encoding the value before base64 which results in the incorrect value being parsed. ref: nodejs/node#31439
andrei-cdl
added a commit
to compassdigital/basic-auth
that referenced
this issue
Aug 9, 2021
due to a bug in node.js some clients will end up encoding the value before base64 which results in the incorrect value being parsed. ref: nodejs/node#31439
danielleadams
pushed a commit
that referenced
this issue
Aug 16, 2021
This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: #31439 PR-URL: #39310 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Robert Nagy <[email protected]> Reviewed-By: James M Snell <[email protected]>
targos
pushed a commit
that referenced
this issue
Sep 4, 2021
This change properly decodes the url.username and url.password for the authorization header constructed from the URL object for http(s) requests. Fixes: #31439 PR-URL: #39310 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Robert Nagy <[email protected]> Reviewed-By: James M Snell <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Passing
username
with "unsafe" symbols (e.g.@
) toURL
object causes wrongly computed Basic-Authorization header string.Pre-requisites
The next code looks good enough (Node.js CLI):
This should result in:
The field
username
turned to percent-encoded as mentioned in the documentation (https://nodejs.org/api/url.html#url_url_username). According to the composed URI in the fieldhref
it's working as expected.Expected behavior
Reference calls via cURL will look like:
Decoding the header
Authorization: Basic dGVzdEB0ZXN0OjEyMzQ1Ng==
results totest@test:123456
as expected.Actual behavior
Again try to make the same call from Node.js CLI:
That will output something like:
Decoding Authorization header results to
test%40test:123456
, which is wrong.Expectation
When
http.request(<URL>)
grabs a value fromhref
orusername
fields, it should sanitize and decode values before composingAuthorization
header.-or-
WHATWG-URL
should keep rawusername
and provide it like:References
The text was updated successfully, but these errors were encountered: