Passing username from URL object to http.clientRequest without decoding
#31439
Labels
Comments
|
The whatwg url impl is doing the right thing here. The issue is in the urlToOptions function |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Passing
usernamewith "unsafe" symbols (e.g.@) toURLobject causes wrongly computed Basic-Authorization header string.Pre-requisites
The next code looks good enough (Node.js CLI):
This should result in:
The field
usernameturned to percent-encoded as mentioned in the documentation (https://nodejs.org/api/url.html#url_url_username). According to the composed URI in the fieldhrefit's working as expected.Expected behavior
Reference calls via cURL will look like:
Decoding the header
Authorization: Basic dGVzdEB0ZXN0OjEyMzQ1Ng==results totest@test:123456as expected.Actual behavior
Again try to make the same call from Node.js CLI:
That will output something like:
Decoding Authorization header results to
test%40test:123456, which is wrong.Expectation
When
http.request(<URL>)grabs a value fromhreforusernamefields, it should sanitize and decode values before composingAuthorizationheader.-or-
WHATWG-URLshould keep rawusernameand provide it like:References
The text was updated successfully, but these errors were encountered: