Unescape username/passwords obtained from URLs before using them for HTTP aut...

net/http/http_network_transaction.cc

 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include "base/scoped_ptr.h"
 #include "base/compiler_specific.h"
 #include "base/field_trial.h"
 #include "base/string_util.h"
@@ skipping 1649 matching lines @@
   DCHECK(auth_handler_[target]);
   DCHECK(auth_identity_[target].invalid);
 
   // Try to use the username/password encoded into the URL first.
   // (By checking source == IDENT_SRC_NONE, we make sure that this
   // is only done once for the transaction.)
   if (target == HttpAuth::AUTH_SERVER && request_->url.has_username() &&
       auth_identity_[target].source == HttpAuth::IDENT_SRC_NONE) {
     auth_identity_[target].source = HttpAuth::IDENT_SRC_URL;
     auth_identity_[target].invalid = false;
-    // TODO(wtc) It may be necessary to unescape the username and password

[wtc, 2009/08/13 21:37:36]

I wrote this TODO(wtc) based on what Darin told me, without
really understanding it.  So it would be nice to have Darin
review this.

-    // after extracting them from the URL.  We should be careful about
-    // embedded nulls in that case.
-    auth_identity_[target].username = ASCIIToWide(request_->url.username());
-    auth_identity_[target].password = ASCIIToWide(request_->url.password());
+    // Extract the username:password from the URL.
+    GetIdentifyFromUrl(request_->url,
+                       &auth_identity_[target].username,
+                       &auth_identity_[target].password);
     // TODO(eroman): If the password is blank, should we also try combining
     // with a password from the cache?
     return true;
   }
 
   // Check the auth cache for a realm entry.
   HttpAuthCache::Entry* entry = session_->auth_cache()->LookupByRealm(
       AuthOrigin(target), auth_handler_[target]->realm());
 
   if (entry) {
@@ skipping 16 matching lines @@
 
     auth_identity_[target].source = HttpAuth::IDENT_SRC_REALM_LOOKUP;
     auth_identity_[target].invalid = false;
     auth_identity_[target].username = entry->username();
     auth_identity_[target].password = entry->password();
     return true;
   }
   return false;
 }
 
+// static
+void HttpNetworkTransaction::GetIdentifyFromUrl(const GURL& url,
+                                                std::wstring* username,
+                                                std::wstring* password) {
+  UnescapeRule::Type flags = UnescapeRule::SPACES;
+  *username = UnescapeAndDecodeUTF8URLComponent(url.username(), flags);

[brettw, 2009/08/13 20:03:34]

Just making sure you're sure you know what you want here. I would expect that
the username/password get sent over HTTP as 8-bit. This says to me that the
strings everywhere should be 8-bit, and you shouldn't try to interpret it as
UTF-8 here. Do you know if this is correct? Maybe we should ask wtc?

[eroman, 2009/08/13 20:35:36]

right, this should be kosher.

username/password are inputtable by the user from dialogs, and hence are wide
strings. entry of credentials via URL (rather than dialog box) is just a
variation of that technique.

the network module's http auth module expects username/password to be provided
as wide strings. (so it is fine to provide non-ascii inputs).

lastly, under the hood the various http auth modules use the username/password
to form  a credential, which is an narrow (8-bit) string. therefore it is also
true that username/passwords are sent over the wire as 8-bit strings (as part of
some hashed credential blob).

+  *password = UnescapeAndDecodeUTF8URLComponent(url.password(), flags);
+}
+
 std::string HttpNetworkTransaction::AuthChallengeLogMessage() const {
   std::string msg;
   std::string header_val;
   void* iter = NULL;
   while (response_.headers->EnumerateHeader(&iter, "proxy-authenticate",
                                             &header_val)) {
     msg.append("\n  Has header Proxy-Authenticate: ");
     msg.append(header_val);
   }
 
@@ skipping 106 matching lines @@
     host_and_port = proxy_info_.proxy_server().host_and_port();
   } else {
     DCHECK(target == HttpAuth::AUTH_SERVER);
     host_and_port = GetHostAndPort(request_->url);
   }
   auth_info->host_and_port = ASCIIToWide(host_and_port);
   response_.auth_challenge = auth_info;
 }
 
 }  // namespace net