Truncate userinfo with URI#join, URI#merge and URI#+

Author: hsbt

lib/uri/generic.rb

@@ -1141,7 +1141,11 @@ def merge(oth)
       end
 
       # RFC2396, Section 5.2, 7)
-      base.set_userinfo(rel.userinfo) if rel.userinfo
+      if rel.userinfo
+        base.set_userinfo(rel.userinfo)
+      else
+        base.set_userinfo(nil)
+      end
       base.set_host(rel.host)         if rel.host
       base.set_port(rel.port)         if rel.port
       base.query = rel.query       if rel.query

test/uri/test_generic.rb

@@ -175,6 +175,17 @@ def test_parse
     # must be empty string to identify as path-abempty, not path-absolute
     assert_equal('', url.host)
     assert_equal('http:////example.com', url.to_s)
+
+    # sec-2957667
+    url = URI.parse('http://user:[email protected]').merge('//example.net')
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+    url = URI.join('http://user:[email protected]', '//example.net')
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+    url = URI.parse('http://user:[email protected]') + '//example.net'
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
   end
 
   def test_parse_scheme_with_symbols