Unescape username/passwords obtained from URLs before using them for HTTP aut...

net/http/http_network_transaction.cc

Index: net/http/http_network_transaction.cc
===================================================================
--- net/http/http_network_transaction.cc	(revision 23194)
+++ net/http/http_network_transaction.cc	(working copy)
@@ -1667,11 +1667,10 @@
       auth_identity_[target].source == HttpAuth::IDENT_SRC_NONE) {
     auth_identity_[target].source = HttpAuth::IDENT_SRC_URL;
     auth_identity_[target].invalid = false;
-    // TODO(wtc) It may be necessary to unescape the username and password

[wtc, 2009/08/13 21:37:36]

I wrote this TODO(wtc) based on what Darin told me, without
really understanding it.  So it would be nice to have Darin
review this.

-    // after extracting them from the URL.  We should be careful about
-    // embedded nulls in that case.
-    auth_identity_[target].username = ASCIIToWide(request_->url.username());
-    auth_identity_[target].password = ASCIIToWide(request_->url.password());
+    // Extract the username:password from the URL.
+    GetIdentifyFromUrl(request_->url,
+                       &auth_identity_[target].username,
+                       &auth_identity_[target].password);
     // TODO(eroman): If the password is blank, should we also try combining
     // with a password from the cache?
     return true;
@@ -1708,6 +1707,15 @@
   return false;
 }
 
+// static
+void HttpNetworkTransaction::GetIdentifyFromUrl(const GURL& url,
+                                                std::wstring* username,
+                                                std::wstring* password) {
+  UnescapeRule::Type flags = UnescapeRule::SPACES;
+  *username = UnescapeAndDecodeUTF8URLComponent(url.username(), flags);

[brettw, 2009/08/13 20:03:34]

Just making sure you're sure you know what you want here. I would expect that
the username/password get sent over HTTP as 8-bit. This says to me that the
strings everywhere should be 8-bit, and you shouldn't try to interpret it as
UTF-8 here. Do you know if this is correct? Maybe we should ask wtc?

[eroman, 2009/08/13 20:35:36]

right, this should be kosher.

username/password are inputtable by the user from dialogs, and hence are wide
strings. entry of credentials via URL (rather than dialog box) is just a
variation of that technique.

the network module's http auth module expects username/password to be provided
as wide strings. (so it is fine to provide non-ascii inputs).

lastly, under the hood the various http auth modules use the username/password
to form  a credential, which is an narrow (8-bit) string. therefore it is also
true that username/passwords are sent over the wire as 8-bit strings (as part of
some hashed credential blob).

+  *password = UnescapeAndDecodeUTF8URLComponent(url.password(), flags);
+}
+
 std::string HttpNetworkTransaction::AuthChallengeLogMessage() const {
   std::string msg;
   std::string header_val;