search

dart-lang / http

A composable API for making HTTP requests in Dart.
https://pub.dev/packages/http
BSD 3-Clause "New" or "Revised" License
1.01k stars 346 forks source link

Server received pct-encoded password #1256

Open idy opened 1 week ago

idy commented 1 week ago

When using the following code to send a request, the server receives the password not as ^pwd but as %5Epwd.

http.get(Uri.parse('https://user:%5Epwd@example.com'))
lrhn commented 1 week ago

Does look like both dart:io and package:http sends the authentication as (code from dart:io)

String auth = base64Encode(utf8.encode(uri.userInfo));

and prefixed with "Basic ".

The problem is that uri.userInfo does not decode percent-escapes, so the code should be doing 

String auth = base64Encode(utf8.encode(Uri.decodeComponent(uri.userInfo)));

Alterantively, the userInfo getter should decode for you. That's what most other getters on Uri do, extracting the meaning of the substring of the URI text, not its literal text. (We should decide on one of those, doing both would be wrong too.)

I can't say what a browser would do, because my browser seems to ignore username/password in the request. Probably for safety reasons.

idy commented 1 week ago

As we discussed in lang/sdk#56114, I personally believe that Uri.parse should not store pct-encoded values in userInfo. Instead, it should encode these values when constructing the URL in toString().