From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 12 Oct 2022 21:48:38 +0000 (+0200)
Subject: netrc: use the URL-decoded user
X-Git-Tag: curl-7_86_0~65
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a2aa980886394db00a32d14b94e3bbbe1ea725cd;p=thirdparty%2Fcurl.git

netrc: use the URL-decoded user

When the user name is provided in the URL it is URL encoded there, but
when used for authentication the encoded version should be used.

Regression introduced after 7.83.0

Reported-by: Jonas Haag
Fixes #9709
Closes #9715
---

diff --git a/lib/url.c b/lib/url.c
index a10c0b1550..3df92beea1 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2089,7 +2089,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
       return Curl_uc_to_curlcode(uc);
   }
 
-  if(!data->state.aptr.user) {
+  if(!data->set.str[STRING_USERNAME]) {
     /* we don't use the URL API's URL decoder option here since it rejects
        control codes and we want to allow them for some schemes in the user
        and password fields */
@@ -2996,14 +2996,8 @@ static CURLcode override_login(struct Curl_easy *data,
   char **userp = &conn->user;
   char **passwdp = &conn->passwd;
   char **optionsp = &conn->options;
-
-#ifndef CURL_DISABLE_NETRC
-  if(data->set.use_netrc == CURL_NETRC_REQUIRED && data->state.aptr.user) {
-    Curl_safefree(*userp);
-    Curl_safefree(*passwdp);
-    Curl_safefree(data->state.aptr.user); /* disable user+password */
-  }
-#endif
+  bool netrc_user_changed = FALSE;
+  bool netrc_passwd_changed = FALSE;
 
   if(data->set.str[STRING_OPTIONS]) {
     free(*optionsp);
@@ -3013,16 +3007,18 @@ static CURLcode override_login(struct Curl_easy *data,
   }
 
 #ifndef CURL_DISABLE_NETRC
+  if(data->set.use_netrc == CURL_NETRC_REQUIRED) {
+    Curl_safefree(*userp);
+    Curl_safefree(*passwdp);
+  }
   conn->bits.netrc = FALSE;
   if(data->set.use_netrc && !data->set.str[STRING_USERNAME]) {
-    bool netrc_user_changed = FALSE;
-    bool netrc_passwd_changed = FALSE;
     int ret;
     bool url_provided = FALSE;
 
-    if(data->state.up.user) {
-      /* there was a user name in the URL */
-      userp = &data->state.up.user;
+    if(data->state.aptr.user) {
+      /* there was a user name in the URL. Use the URL decoded version */
+      userp = &data->state.aptr.user;
       url_provided = TRUE;
     }
 
@@ -3061,9 +3057,13 @@ static CURLcode override_login(struct Curl_easy *data,
 
   /* for updated strings, we update them in the URL */
   if(*userp) {
-    CURLcode result = Curl_setstropt(&data->state.aptr.user, *userp);
-    if(result)
-      return result;
+    CURLcode result;
+    if(data->state.aptr.user != *userp) {
+      /* nothing to do then */
+      result = Curl_setstropt(&data->state.aptr.user, *userp);
+      if(result)
+        return result;
+    }
   }
   if(data->state.aptr.user) {
     uc = curl_url_set(data->state.uh, CURLUPART_USER, data->state.aptr.user,