User names embedded in proxy URLs without a password were parsed

incorrectly--the host name is treated as part of the user name and the
port number becomes the password.  This can be observed in test 279
(was KNOWN_ISSUE #54).

diff --git a/CHANGES b/CHANGES
index 608151445f7eede7739e39875d5f69f915acde15..dd5393551f402243fa91d0593ab62a8aea0929de 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -15,6 +15,11 @@ Daniel Fandrich (31 Jul 2008)
   being mangled when passed to proxies when CURLOPT_PORT is also set
   (reported by Pramod Sharma).
 
+- User names embedded in proxy URLs without a password were parsed
+  incorrectly--the host name is treated as part of the user name and the
+  port number becomes the password.  This can be observed in test 279
+  (was KNOWN_ISSUE #54).
+
 Daniel Stenberg (30 Jul 2008)
 - Phil Blundell added the CURLOPT_SCOPE option, as well as adjusted the URL
   parser to allow numerical IPv6-addresses to be specified with the scope

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 76b545f3ed1c04a4973daf9751348841148e4f11..353b4c643727565d56184953345d7dc1b8e88b57 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -41,6 +41,7 @@ This release includes the following bugfixes:
  o --use-ascii now works on Symbian OS, MS-DOS and OS/2
  o CURLINFO_SSL_VERIFYRESULT is fixed
  o FTP URLs and IPv6 URLs mangled when sent to proxy with CURLOPT_PORT set
+ o a user name in a proxy URL without a password was parsed incorrectly
 
 This release includes the following known bugs:
 

diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS
index 9744481f8bfb37462d4b5428139bc9b5042e10ba..bb9cbbe2ea747f306bd685144f5cb1247cd28e17 100644 (file)
--- a/docs/KNOWN_BUGS
+++ b/docs/KNOWN_BUGS
@@ -14,10 +14,6 @@ may have been fixed since this was written!
   library header files exporting symbols/macros that should be kept private
   to the KfW library. See ticket #5601 at http://krbdev.mit.edu/rt/
 
-54. User names embedded in URLs without a password are parsed incorrectly--the
-  host name is treated as part of the user name and the port number becomes the
-  password.  This can be observed test 279.
-
 53. SFTP busy-loop problem. When doing SFTP uploads, we can see that libcurl
   occasionally will busy-loop while waiting for certain network conditions.
   Reported by Pavel Shalagin, explained somewhat by Daniel Stenberg here:

diff --git a/lib/url.c b/lib/url.c
index b53cc5053ebb204b79810fe1b4d93db356920c0a..c778507943d9c8f0908db704a6af9ba5c869a649 100644 (file)
--- a/lib/url.c
+++ b/lib/url.c
@@ -3396,7 +3396,7 @@ static CURLcode parse_proxy(struct SessionHandle *data,
     proxypasswd[0] = 0;
 
     if(1 <= sscanf(proxyptr,
-                   "%" MAX_CURL_USER_LENGTH_TXT"[^:]:"
+                   "%" MAX_CURL_USER_LENGTH_TXT"[^:@]:"
                    "%" MAX_CURL_PASSWORD_LENGTH_TXT "[^@]",
                    proxyuser, proxypasswd)) {
       CURLcode res = CURLE_OK;

diff --git a/tests/data/test279 b/tests/data/test279
index c37e9ab112645497dc118d0f41839b6549fb2537..f52941cd4a0582f89f5452dff2bf04a985305ee9 100644 (file)
--- a/tests/data/test279
+++ b/tests/data/test279
@@ -7,6 +7,7 @@ HTTP proxy
 HTTP proxy Basic auth
 </keywords>
 </info>
+
 # Server-side
 <reply>
 <data>
@@ -28,7 +29,7 @@ http
 HTTP with proxy string including http:// and user only
  </name>
  <command>
-http://we.want.that.site.com/279 -x http://f%61ke@%HOSTIP:%HTTPPORT\r
+http://we.want.that.site.com/279 -x http://f%61ke@%HOSTIP:%HTTPPORT
 </command>
 </client>
 
@@ -39,7 +40,7 @@ http://we.want.that.site.com/279 -x http://f%61ke@%HOSTIP:%HTTPPORT
 </strip>
 <protocol>
 GET http://we.want.that.site.com/279 HTTP/1.1\r
-Proxy-Authorization: Basic ZmFrZUAxMjcuMC4wLjE6ODk5MA0=\r
+Proxy-Authorization: Basic ZmFrZTo=\r
 Host: we.want.that.site.com\r
 Pragma: no-cache\r
 Accept: */*\r