[MPlayer-dev-eng] [PATCH 1/7] Unescape login/password before base64 encode

Reimar Döffinger Reimar.Doeffinger at gmx.de
Thu Nov 11 20:36:07 CET 2010 

On Thu, Nov 11, 2010 at 01:41:39PM +0100, Clément Bœsch wrote:
> > And what about unescaping in url_new when username/password is assigned?
> 
> Yes, this seems actually to be a better solution.

Why not like patch below?

> > > > I don't think escaping is supposed to be applied to anything else.
> > > 
> > > We could also have users who try to make special character by urlencoding
> > > themselves the password (special char not easy to escape with the shell,
> > > or simply break url parsing in MPlayer because of ':' or '@' in it).
> > > MPlayer urlencode won't change the string, but the http auth code will be
> > > able to decode it.
> > 
> > Well, thinking more about it I have the suspicion that your patch will
> > actually break e.g. %20 as password, it well end up using a single space
> > as password (unless you pre-escape it of course)...
> > Doing it in url_new would at least allow the other method of specifying
> > it...
> > I'd actually be quite curious what webbrowser do in such a case.
> 
> MPlayer is closer to curl than a browser in term of use, so I just
> compared with it, and here is the behaviour:
> 
>   curl 'http://usr:%20@localhost:8000'     => 'dXNyOiA='     => 'usr: '
>   curl 'http://locahost:8000' -u 'usr:%20' => 'dXNyOiUyMA==' => 'usr:%20'
> 
> So indeed, unescaping in url_new seems to be the right thing to do. Patch
> attached.

Very nice test, that gives me a lot more confidence that we are doing something
sane.

Index: url.c
===================================================================
--- url.c       (revision 32620)
+++ url.c       (working copy)
@@ -153,7 +153,9 @@
                        }
                        strncpy( Curl->password, ptr3+1, len2);
                        Curl->password[len2]='\0';
+                       url_unescape_string(Curl->password, Curl->password);
                }
+               url_unescape_string(Curl->username, Curl->username);
                ptr1 = ptr2+1;
                pos1 = ptr1-escfilename;
        }
@@ -252,7 +254,8 @@
 
 
 /* Replace escape sequences in an URL (or a part of an URL) */
-/* works like strcpy(), but without return argument */
+/* works like strcpy(), but without return argument,
+   except that outbuf == inbuf is allowed */
 void
 url_unescape_string(char *outbuf, const char *inbuf)
 {

More information about the MPlayer-dev-eng mailing list