Skip to content

Encode UserName value in UriBuilder (Issue #74662) #74953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Sep 7, 2022
Merged

Encode UserName value in UriBuilder (Issue #74662) #74953

merged 8 commits into from
Sep 7, 2022

Conversation

@cdbullard
Copy link
Contributor

@cdbullard cdbullard commented Sep 1, 2022
edited by MihaZupan
Loading

Fix #74662

Adding private method EncodeUserName to replace any problematic characters "/" / "\" / "?" / "#" / "@" with their appropriate values to prevent throwing a UriFormatException.

The code from MihaZupan's comment on this issue was implemented for this fix with minor changes.

@ghost ghost added community-contribution Indicates that the PR has been added by a community member area-System.Net labels Sep 1, 2022
@dnfadmin
Copy link

dnfadmin commented Sep 1, 2022
edited
Loading

CLA assistant check
All CLA requirements met.

@ghost
Copy link

ghost commented Sep 1, 2022

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

#74662

Adding private method EncodeUserName to replace any problematic characters "/" / "\" / "?" / "#" / "@" with their appropriate values to prevent throwing a UriFormatException.

The code from MihaZupan's comment on this issue was implemented for this fix with minor changes.

Author: cdbullard
Assignees: -
Labels:

area-System.Net, community-contribution
Milestone: -

MihaZupan
MihaZupan reviewed Sep 1, 2022
View reviewed changes
Copy link
Member

@MihaZupan MihaZupan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @cdbullard!

Could you please extend this change to also include the Password property, and also add some tests for these cases?

@MihaZupan MihaZupan added this to the 8.0.0 milestone Sep 1, 2022
MihaZupan
MihaZupan approved these changes Sep 2, 2022
View reviewed changes
Copy link
Member

@MihaZupan MihaZupan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@cdbullard @MihaZupan
Update src/libraries/System.Private.Uri/src/System/UriBuilder.cs
87f66a7 
Co-authored-by: Miha Zupan <mihazupan.zupan1@gmail.com>
@skyoxZ
Copy link
Contributor

skyoxZ commented Sep 5, 2022

This could be a break change.

Consider if users find UriBuilder.Uri.ToString() is buggy so they write a helper ToFullEncodedString as below:

var builder = new UriBuilder("https://www.microsoft.com")
{
    UserName = "mallory@hackers.net",
    Password = "hunter2",
};
Console.WriteLine(builder.ToFullEncodedString());

public static class UriBuilderExtension
{
    public static string ToFullEncodedString(this UriBuilder builder)
    {
        string plainUserName = builder.UserName;
        builder.UserName = System.Web.HttpUtility.UrlEncode(plainUserName);
        string result = builder.Uri.ToString();
        builder.UserName = plainUserName;
        return result;
    }
}

@MihaZupan
Copy link
Member

MihaZupan commented Sep 5, 2022
edited
Loading

I suppose it's possible.

We can avoid taking that risk by deferring the encoding to the ToString instead of the setters.

runtime/src/libraries/System.Private.Uri/src/System/UriBuilder.cs

Lines 344 to 350 in 87f66a7

vsb.Append(username);
string password = Password;
if (password.Length != 0)
{
vsb.Append(':');
vsb.Append(password);

@skyoxZ
Copy link
Contributor

skyoxZ commented Sep 5, 2022

And maybe : should also be encoded there.

@MihaZupan
Copy link
Member

I would avoid changing : for now. Uri doesn't enforce the exact format of UserInfo.
That is, new Uri("http://name:::password@host/").UserInfo is valid and changing it would be a breaking change.

@cdbullard
Copy link
Contributor Author

Thanks for the feedback--I have pushed a change that I believe will address this by moving the EncodeUserInfo call to the ToString() method per MihaZupan's comment, and also added a new unit test for this situation. Please let me know if any other changes should be made, thank you!

@cdbullard @MihaZupan
Update src/libraries/System.Private.Uri/tests/FunctionalTests/UriBuil…
4924a57 
…derTests.cs

Co-authored-by: Miha Zupan <mihazupan.zupan1@gmail.com>
@MihaZupan
Copy link
Member

Test failure is #74795

@MihaZupan MihaZupan merged commit e23d22e into dotnet:main Sep 7, 2022
@MihaZupan MihaZupan mentioned this pull request Sep 9, 2022
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Oct 7, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@MihaZupan MihaZupan MihaZupan approved these changes

Assignees

No one assigned

Labels

area-System.Net community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

8.0.0

Development

Successfully merging this pull request may close these issues.

UriBuilder should percent-encode its UserName or Password properties

4 participants

@cdbullard @dnfadmin @skyoxZ @MihaZupan