Merge branch 'sh-handle-colons-in-url-passwords' into 'master'

Properly handle colons in URL passwords Closes #49080 See merge request gitlab-org/gitlab-ce!20538
2018-07-11 06:00:17 +00:00 · 2018-07-11 06:00:17 +00:00 · c6b670216c
commit c6b670216c
parent c2a0a3ab1a 718a23fd36
3 changed files with 7 additions and 1 deletions
--- a/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml
+++ b/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml
@ -0,0 +1,5 @@
+---
+title: Properly handle colons in URL passwords
+merge_request:
+author:
+type: fixed
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@ -58,7 +58,7 @@ module Gitlab
      if raw_credentials.present?
        url.sub!("#{raw_credentials}@", '')

-        user, password = raw_credentials.split(':')
+        user, _, password = raw_credentials.partition(':')
        @credentials ||= { user: user.presence, password: password.presence }
      end

--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@ -92,6 +92,7 @@ describe Gitlab::UrlSanitizer do
    context 'credentials in URL' do
      where(:url, :credentials) do
        'http://foo:bar@example.com' | { user: 'foo', password: 'bar' }
+        'http://foo:bar:baz@example.com' | { user: 'foo', password: 'bar:baz' }
        'http://:bar@example.com'    | { user: nil,   password: 'bar' }
        'http://foo:@example.com'    | { user: 'foo', password: nil }
        'http://foo@example.com'     | { user: 'foo', password: nil }