hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ortwin Glück <ortwin.glu...@nose.ch>
Subject Re: DO NOT REPLY [Bug 28728] - HttpUrl does not accept unescaped passwords
Date Wed, 08 Sep 2004 12:27:47 GMT
Thanks again. The problem with that patch is that it assumes that
userinfo is always a username and password. This may be almost always
the case for the HTTP scheme. But actually the userinfo part of a URL
can be *anything*. The actual format of userinfo strongly depends on the
context (i.e. the authentication scheme). RFC-2396 states: "Some URL
schemes use the format "user:password" in the userinfo field."

I suggest we provide

public HttpURL(String user, String password, String host, int port,
              String path, String query, String fragment) throws
URIException

which takes user and password, properly escapes them and joins them
together with a colon as the delimiter and just feeds them into the
generic constructor.

We would then not deprecate
public HttpURL(String userinfo, String host, int port, String path,
               String query, String fragment) throws URIException

but change its contract to require userinfo to be correctly escaped and
limited to the legal set of characters.

O.

bugzilla@apache.org wrote:

> ------- Additional Comments From ib@fiz-chemie.de  2004-09-08 12:05 -------
> Created an attachment (id=12670)
> The same patch im unified diff format (forgot the -u, sorry)

-- 
  _________________________________________________________________
  NOSE applied intelligence ag

  ortwin glück                      [www]      http://www.nose.ch
  software engineer
  hardturmstrasse 171               [pgp id]           0x81CF3416
  8005 zürich                       [office]      +41-1-277 57 35
  switzerland                       [fax]         +41-1-277 57 12

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message