diff options
author | Ondrej Holy <oholy@redhat.com> | 2017-01-20 14:19:50 +0100 |
---|---|---|
committer | Ondrej Holy <oholy@redhat.com> | 2017-02-13 12:45:13 +0100 |
commit | 2417271df21aa6ae3c931c0d6840107460182b23 (patch) | |
tree | 9050736ed72f35e15a11eecd042234104a668772 /client/gvfsuriutils.c | |
parent | a051cac947b8043d73d0123086b7ae358f342cb9 (diff) | |
download | gvfs-2417271df21aa6ae3c931c0d6840107460182b23.tar.gz |
client: Ignore everything after first colon in userinfo
Use of the format "user:password" in the userinfo field is deprecated
and applications should not render as clear text any data after the
first colon as per rfc3986. Passwords have never been handled in
userinfo fields by GVfs, however, they are still part of the usernames,
which is wrong. Let's ignore such data in userinfo fileds.
https://bugzilla.gnome.org/show_bug.cgi?id=628430
Diffstat (limited to 'client/gvfsuriutils.c')
-rw-r--r-- | client/gvfsuriutils.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/client/gvfsuriutils.c b/client/gvfsuriutils.c index 57ad5f16..40a7afac 100644 --- a/client/gvfsuriutils.c +++ b/client/gvfsuriutils.c @@ -163,14 +163,29 @@ g_vfs_decode_uri (const char *uri) authority_end - authority_start, "@"); if (userinfo_end) { - userinfo_start = authority_start; + char *p; + + host_start = userinfo_end + 1; + userinfo_start = authority_start; + + /* Applications should not render as clear text any data + * after the first colon (":") character found within a userinfo + * subcomponent unless the data after the colon is the empty string + * (indicating no password). Applications may choose to ignore or + * reject such data when it is received as part of a reference and + * should reject the storage of such data in unencrypted form. + * See https://tools.ietf.org/html/rfc3986 + */ + p = memchr (userinfo_start, ':', userinfo_end - userinfo_start); + if (p != NULL) + userinfo_end = p; + decoded->userinfo = g_uri_unescape_segment (userinfo_start, userinfo_end, NULL); if (decoded->userinfo == NULL) { g_vfs_decoded_uri_free (decoded); return NULL; } - host_start = userinfo_end + 1; } else host_start = authority_start; |