From 97629167883cfa9ab24c59c3aa9a28a5e6bddd18 Mon Sep 17 00:00:00 2001
From: Jaroslav Kysela <perex@perex.cz>
Date: Wed, 28 Dec 2016 19:42:38 +0100
Subject: [PATCH] http: deescape username/password for basic and digest auth,
 fixes #4147

---
 src/http.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/http.c b/src/http.c
index 7ab3a7f04..eb8e278b0 100644
--- a/src/http.c
+++ b/src/http.c
@@ -1152,6 +1152,8 @@ process_request(http_connection_t *hc, htsbuf_queue_t *spill)
         if((n = http_tokenize(authbuf, argv, 2, ':')) == 2) {
           hc->hc_username = tvh_strdupa(argv[0]);
           hc->hc_password = tvh_strdupa(argv[1]);
+          http_deescape(hc->hc_username);
+          http_deescape(hc->hc_password);
           // No way to actually track this
         }
       } else if (strcasecmp(argv[0], "digest") == 0) {
@@ -1166,6 +1168,7 @@ process_request(http_connection_t *hc, htsbuf_queue_t *spill)
         v = http_get_header_value(argv[1], "username");
         hc->hc_authhdr  = tvh_strdupa(argv[1]);
         hc->hc_username = tvh_strdupa(v);
+        http_deescape(hc->hc_username);
         free(v);
       } else {
         http_error(hc, HTTP_STATUS_BAD_REQUEST);
-- 
2.47.2