diff options
author | Stan Hu <stanhu@gmail.com> | 2018-07-10 13:00:21 -0700 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2018-07-10 13:09:37 -0700 |
commit | 718a23fd36de971b3bd127c6f9d5311f7029e15c (patch) | |
tree | 74da6e6052e7f4cf34b2813a16b00c6ceccf3e5c | |
parent | 255db3d59792e9bac92f4327b4e324e2bd32810a (diff) | |
download | gitlab-ce-718a23fd36de971b3bd127c6f9d5311f7029e15c.tar.gz |
Properly handle colons in URL passwords
Before b46d5b13ecb8e0c0793fa433bff7f49cb0612760, we relied on
`Addressable::URI` to parse the username/password in a URL, but this failed
when credentials contained special characters. However, this introduced a regression
where the parsing would incorrectly truncate the password if the password had a colon.
Closes #49080
-rw-r--r-- | changelogs/unreleased/sh-handle-colons-in-url-passwords.yml | 5 | ||||
-rw-r--r-- | lib/gitlab/url_sanitizer.rb | 2 | ||||
-rw-r--r-- | spec/lib/gitlab/url_sanitizer_spec.rb | 1 |
3 files changed, 7 insertions, 1 deletions
diff --git a/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml b/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml new file mode 100644 index 00000000000..7717d0aab37 --- /dev/null +++ b/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml @@ -0,0 +1,5 @@ +--- +title: Properly handle colons in URL passwords +merge_request: +author: +type: fixed diff --git a/lib/gitlab/url_sanitizer.rb b/lib/gitlab/url_sanitizer.rb index 59331c827af..de8b6ec69ce 100644 --- a/lib/gitlab/url_sanitizer.rb +++ b/lib/gitlab/url_sanitizer.rb @@ -58,7 +58,7 @@ module Gitlab if raw_credentials.present? url.sub!("#{raw_credentials}@", '') - user, password = raw_credentials.split(':') + user, _, password = raw_credentials.partition(':') @credentials ||= { user: user.presence, password: password.presence } end diff --git a/spec/lib/gitlab/url_sanitizer_spec.rb b/spec/lib/gitlab/url_sanitizer_spec.rb index fc8991fd31f..758a9bc5a2b 100644 --- a/spec/lib/gitlab/url_sanitizer_spec.rb +++ b/spec/lib/gitlab/url_sanitizer_spec.rb @@ -92,6 +92,7 @@ describe Gitlab::UrlSanitizer do context 'credentials in URL' do where(:url, :credentials) do 'http://foo:bar@example.com' | { user: 'foo', password: 'bar' } + 'http://foo:bar:baz@example.com' | { user: 'foo', password: 'bar:baz' } 'http://:bar@example.com' | { user: nil, password: 'bar' } 'http://foo:@example.com' | { user: 'foo', password: nil } 'http://foo@example.com' | { user: 'foo', password: nil } |