http: decode username and password before encoding

Fixes: nodejs#31439
addaleax · Jan 21, 2020 · 17ef5bf · 17ef5bf
1 parent a484f1a
commit 17ef5bf
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/lib/internal/url.js b/lib/internal/url.js
@@ -1284,7 +1284,8 @@ function urlToOptions(url) {
     options.port = Number(url.port);
   }
   if (url.username || url.password) {
-    options.auth = `${url.username}:${url.password}`;
+    options.auth =
+      `${decodeURIComponent(url.username)}:${decodeURIComponent(url.password)}`;
   }
   return options;
 }

diff --git a/test/parallel/test-http-url-username.js b/test/parallel/test-http-url-username.js
@@ -0,0 +1,33 @@
+'use strict';
+const common = require('../common');
+const assert = require('assert');
+const http = require('http');
+const MakeDuplexPair = require('../common/duplexpair');
+
+// Test that usernames from URLs are URL-decoded, as they should be.
+
+{
+  const url = new URL('http://localhost');
+  url.username = 'test@test';
+  url.password = '123456';
+
+  const server = http.createServer(
+    common.mustCall((req, res) => {
+      assert.strictEqual(
+        req.headers.authorization,
+        'Basic ' + Buffer.from('test@test:123456').toString('base64'));
+      res.statusCode = 200;
+      res.end();
+    }));
+
+  const { clientSide, serverSide } = MakeDuplexPair();
+  server.emit('connection', serverSide);
+
+  const req = http.request(url, {
+    createConnection: common.mustCall(() => clientSide)
+  }, common.mustCall((res) => {
+    res.resume();  // We don’t actually care about contents.
+    res.on('end', common.mustCall());
+  }));
+  req.end();
+}