Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.0.5

Bug #20013 getNormalizedURL() adds leading "@" chars in the Authority
Submitted: 2013-07-18 17:13 UTC Modified: 2013-07-27 04:54 UTC
From: ross Assigned: tkli
Status: Closed Package: Net_URL2 (version 2.0.0)
PHP Version: Irrelevant OS:
Roadmaps: (Not assigned)    
Subscription  


 [2013-07-18 17:13 UTC] ross (Ross Perkins)
Description: ------------ This bug report refers to github's pear/Net_URL2 #f4864b005a https://github.com/pear/Net_URL2/commit/f4864b005ae052aa20 5339bc26e4d7268ad7d5b7 $url->getNormalizedURL() fails to return a valid URL if there is no user:password in the URL. It erroneously adds an "@" symbol in the normalized URL. Test script: --------------- This test method will fail until the bug is fixed: public function testNormalizeDoesNotAddErroneousAts() { $expectedResults = array( 'http://example.com/', 'http://example.com:80/', 'http://user:pass@example.com/', ); foreach($expectedResults as $expected) { $url = new Net_Url2($expected); $this->assertSame($expected, $url->getNormalizedURL(), "getNormalizedURL must return the expected result"); } } Expected result: ---------------- The test should pass. Instead, it fails. For example when normalizing this URL: http://example.com/ getNormalizedURL() returns: http://@example.com/ This is obviously broken.

Comments

 [2013-07-18 17:24 UTC] ross (Ross Perkins)
I forked Net_URL2 on Github, here is a patch that adds the phpunit test showing the bug, and also the fix: https://github.com/vube/php-pear- Net_URL2/commit/9a2daa17270e1c6a81645d193052e4f871b2e987
 [2013-07-19 02:26 UTC] tkli (Tom Klingenberg)
As an empty userinfo part is technically possible (zero-length-string) and in a normalization it should be dropped ("The user information, if present, is followed by a commercial at-sign ("@") that delimits it from the host." 3.2.1. User Information). Therefore I would suggest to allow the zero-length userinfo (as it happens here to trigger the flaw) and check with strlen() instead of !== FALSE in getAuthority(). if (strlen($this->_userinfo)) { $authority .= $this->_userinfo . '@'; }
 [2013-07-19 09:36 UTC] tkli (Tom Klingenberg)
Ross, can you please review if Bug and Fix in https://github.com/ktomk/Net_URL2/commits/patch-20013 do the work for you? My conclusion is that setting an empty string as user information (userinfo in short) shouldn't result in the commercial at-sign ("@") in the first place. This also addresses the problem adding that @ sign in URL normalization (Net_URL2::getNormalizedURL()).
 [2013-07-19 15:30 UTC] ross (Ross Perkins)
Hi Tom, that fix looks good. It also covers more cases where the bug would have been affected. Nice work. :)
 [2013-07-21 20:09 UTC] tkli (Tom Klingenberg)
 [2013-07-27 04:54 UTC] doconnor (Daniel O'Connor)
-Status: Open +Status: Closed -Assigned To: +Assigned To: tkli