From 64e66ff04479bf76940916e09cc5094580b06e18 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 14 May 2020 14:37:12 +0200
Subject: [PATCH] url: make the updated credentials URL-encoded in the URL

Found-by: Gregory Jefferis
Reported-by: Jeroen Ooms
Added test 1168 to verify. Bug spotted when doing a redirect.
Bug: https://github.com/jeroen/curl/issues/224
Closes #5400

Upstream-commit: 600a8cded447cd7118ed50142c576567c0cf5158
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/url.c               |  6 ++--
 tests/data/Makefile.inc |  1 +
 tests/data/test1168     | 78 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 83 insertions(+), 2 deletions(-)
 create mode 100644 tests/data/test1168

diff --git a/lib/url.c b/lib/url.c
index 47fc66a..a826f8a 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2712,12 +2712,14 @@ static CURLcode override_login(struct Curl_easy *data,
 
   /* for updated strings, we update them in the URL */
   if(user_changed) {
-    uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
+    uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
+                      CURLU_URLENCODE);
     if(uc)
       return Curl_uc_to_curlcode(uc);
   }
   if(passwd_changed) {
-    uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
+    uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
+                      CURLU_URLENCODE);
     if(uc)
       return Curl_uc_to_curlcode(uc);
   }
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 3d8565c..f9535a6 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -130,6 +130,7 @@ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
 test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
 test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \
 test1160 test1161 test1162 test1163 test1164 test1165 \
+test1168 \
 test1170 test1171 test1172 test1173 test1174 \
 \
 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
diff --git a/tests/data/test1168 b/tests/data/test1168
new file mode 100644
index 0000000..283e91e
--- /dev/null
+++ b/tests/data/test1168
@@ -0,0 +1,78 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+followlocation
+</keywords>
+</info>
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Location: /data/11680002.txt
+Connection: close
+
+This server reply is for testing a simple Location: following
+
+</data>
+<data2>
+HTTP/1.1 200 Followed here fine swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 52
+
+If this is received, the location following worked
+
+</data2>
+<datacheck>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Location: /data/11680002.txt
+Connection: close
+
+HTTP/1.1 200 Followed here fine swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 52
+
+If this is received, the location following worked
+
+</datacheck>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP redirect with credentials using # in user and password
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY"
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /want/1168 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
+Accept: */*
+
+GET /data/11680002.txt HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>
-- 
2.21.3