Clear user info totally at setting any of authority info

nobu · hsbt · commit 5cec76b9e877 · 2025-10-01T12:16:39.000+09:00
Fix CVE-2025-27221. https://hackerone.com/reports/3221142
diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
@@ -186,18 +186,18 @@ def initialize(scheme,
 
       if arg_check
         self.scheme = scheme
-        self.userinfo = userinfo
         self.hostname = host
         self.port = port
+        self.userinfo = userinfo
         self.path = path
         self.query = query
         self.opaque = opaque
         self.fragment = fragment
       else
         self.set_scheme(scheme)
-        self.set_userinfo(userinfo)
         self.set_host(host)
         self.set_port(port)
+        self.set_userinfo(userinfo)
         self.set_path(path)
         self.query = query
         self.set_opaque(opaque)
@@ -511,7 +511,7 @@ def set_userinfo(user, password = nil)
         user, password = split_userinfo(user)
       end
       @user     = user
-      @password = password if password
+      @password = password
 
       [@user, @password]
     end
@@ -522,7 +522,7 @@ def set_userinfo(user, password = nil)
     # See also URI::Generic.user=.
     #
     def set_user(v)
-      set_userinfo(v, @password)
+      set_userinfo(v, nil)
       v
     end
     protected :set_user
@@ -639,6 +639,7 @@ def set_host(v)
     def host=(v)
       check_host(v)
       set_host(v)
+      set_userinfo(nil)
       v
     end
 
@@ -729,6 +730,7 @@ def set_port(v)
     def port=(v)
       check_port(v)
       set_port(v)
+      set_userinfo(nil)
       port
     end
 
diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
@@ -283,6 +283,9 @@ def test_merge_authority
     u0 = URI.parse('http://new.example.org/path')
     u1 = u.merge('//new.example.org/path')
     assert_equal(u0, u1)
+    u0 = URI.parse('http://other@example.net')
+    u1 = u.merge('//other@example.net')
+    assert_equal(u0, u1)
   end
 
   def test_route
@@ -748,17 +751,18 @@ def test_join
   def test_set_component
     uri = URI.parse('http://foo:bar@baz')
     assert_equal('oof', uri.user = 'oof')
-    assert_equal('http://oof:bar@baz', uri.to_s)
+    assert_equal('http://oof@baz', uri.to_s)
     assert_equal('rab', uri.password = 'rab')
     assert_equal('http://oof:rab@baz', uri.to_s)
     assert_equal('foo', uri.userinfo = 'foo')
-    assert_equal('http://foo:rab@baz', uri.to_s)
+    assert_equal('http://foo@baz', uri.to_s)
     assert_equal(['foo', 'bar'], uri.userinfo = ['foo', 'bar'])
     assert_equal('http://foo:bar@baz', uri.to_s)
     assert_equal(['foo'], uri.userinfo = ['foo'])
-    assert_equal('http://foo:bar@baz', uri.to_s)
+    assert_equal('http://foo@baz', uri.to_s)
     assert_equal('zab', uri.host = 'zab')
-    assert_equal('http://foo:bar@zab', uri.to_s)
+    assert_equal('http://zab', uri.to_s)
+    uri.userinfo = ['foo', 'bar']
     uri.port = ""
     assert_nil(uri.port)
     uri.port = "80"
@@ -768,7 +772,8 @@ def test_set_component
     uri.port = " 080 "
     assert_equal(80, uri.port)
     assert_equal(8080, uri.port = 8080)
-    assert_equal('http://foo:bar@zab:8080', uri.to_s)
+    assert_equal('http://zab:8080', uri.to_s)
+    uri = URI.parse('http://foo:bar@zab:8080')
     assert_equal('/', uri.path = '/')
     assert_equal('http://foo:bar@zab:8080/', uri.to_s)
     assert_equal('a=1', uri.query = 'a=1')
