Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Parse error on proxy request with auth URL #116

bnoordhuis opened this Issue · 18 comments

3 participants

Works -> GET HTTP/1.1
Fails -> GET HTTP/1.1

See nodejs/node-v0.x-archive#3527.


Added two tests in 4ecc216.


This is kind of a pain to implement.

Axiom: the parser cannot backtrack or look ahead.

When the parser has seen http://, it can't know if what follows is the userinfo or the host:port section. That needs to be addressed somehow because the userinfo section allows characters that are illegal in host names.

From RFC 2396:

3.2.2. Server-based Naming Authority

   URL schemes that involve the direct use of an IP-based protocol to a
   specified server on the Internet use a common syntax for the server
   component of the URI's scheme-specific data:


   where <userinfo> may consist of a user name and, optionally, scheme-
   specific information about how to gain authorization to access the
   server.  The parts "<userinfo>@" and ":<port>" may be omitted.

      server        = [ [ userinfo "@" ] hostport ]

   The user information, if present, is followed by a commercial at-sign

      userinfo      = *( unreserved | escaped |
                         ";" | ":" | "&" | "=" | "+" | "$" | "," )

   Some URL schemes use the format "user:password" in the userinfo
   field. This practice is NOT RECOMMENDED, because the passing of
   authentication information in clear text (such as URI) has proven to
   be a security risk in almost every case where it has been used.

   The host is a domain name of a network host, or its IPv4 address as a
   set of four decimal digit groups separated by ".".  Literal IPv6
   addresses are not supported.

      hostport      = host [ ":" port ]
      host          = hostname | IPv4address
      hostname      = *( domainlabel "." ) toplabel [ "." ]
      domainlabel   = alphanum | alphanum *( alphanum | "-" ) alphanum
      toplabel      = alpha | alpha *( alphanum | "-" ) alphanum
      IPv4address   = 1*digit "." 1*digit "." 1*digit "." 1*digit
      port          = *digit


I can submit a patch which

  • relax constraint on host and hostport parsing
  • check allowed chars when finding delimiters for user:password or host:port
  • add two values in http_parser_url_fields : BASIC_AUTH_USERNAME and BASIC_AUTH_PASSWORD.

I can try this if above design is ok for you.


check allowed chars when finding delimiters for user:password or host:port

The problem is that that is not an option. You're not guaranteed to get a full request line, the input to http_parser_execute() may be spread over several packets. That's what I meant when I said that the parser can't backtrack or look ahead.

As an example, say the first packet contains GET http://foo:. What is foo? A username or a domain?


But I do not see a solution : you can not guess if foo is user info or host name without seeking an @. Right ?

Correct, that's the dilemma. :-)

I have to think hard about how to best approach this. Maybe there's no good alternative but to break the interface - but that's something I'd rather not do, of course.


Ping :)

Sorry, it's really annoying for me.


I haven't really been able to come up with a good solution yet. Tell you what, start with something that works for you and if it's good, I'll pull it in.


http-parser is a fork of the Nginx one (I do not see that before).

The nginx http parser does not support a GET http://toto:titi@localhost/ HTTP/1.1 request. Nginx issue a 400 response. It's not a problem for nginx because nginx is not used as an outgoing proxy.
But NodeJS can be used as an outgoing proxy (it's what I want to do :)).

I will try a fix, but I'm afraid it can only be crappy ...


Pull request done. I will be happy if someone can do a code review on my code.


Pull request merged; closing.

@pgriess pgriess closed this

Oh, crap you need to sign the CLA at

Once you do that, we'll include you in the AUTHORS file.

As for getting this merged into NodeJS, I'm not sure what the procedure is for that these days. @ry or @isaacs what's the deal with that?


I'll land it in node master sometime soon.



Any news for the merge into nodejs ?

And for my name in AUTHORS ?
Bertrand Paquet




@bpaquet Added you to AUTHORS in 4e1a6ab and upgraded the parser in nodejs/node-v0.x-archive@4784ea1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.