Bug #20013 :: getNormalizedURL() adds leading "@" chars in the Authority

Package home | Report new bug | New search | Development Roadmap

Status: Open | Feedback | All | Closed Since Version 2.2.3

Bug #20013	getNormalizedURL() adds leading "@" chars in the Authority
Submitted:	2013-07-18 22:13 UTC
From:	ross	Assigned:	tkli
Status:	Closed	Package:	Net_URL2 (version 2.0.0)
PHP Version:	Irrelevant	OS:
Roadmaps:	(Not assigned)
Subscription	Your email:

Comments Add Comment Add patch

[2013-07-18 22:13 UTC] ross (Ross Perkins)

Description:
------------
This bug report refers to github's pear/Net_URL2 #f4864b005a

https://github.com/pear/Net_URL2/commit/f4864b005ae052aa20
5339bc26e4d7268ad7d5b7

$url->getNormalizedURL() fails to return a valid URL if there is no 
user:password in the URL.  It erroneously adds an "@" symbol in 
the normalized URL.

Test script:
---------------
This test method will fail until the bug is fixed:

	public function testNormalizeDoesNotAddErroneousAts()
	{
		$expectedResults = array(
			'http://example.com/',
			'http://example.com:80/',
			'http://user:pass@example.com/',
		);

		foreach($expectedResults as $expected)
		{
			$url = new Net_Url2($expected);
			$this->assertSame($expected, $url->getNormalizedURL(), "getNormalizedURL must return the expected result");
		}
	}


Expected result:
----------------
The test should pass.  Instead, it fails.

For example when normalizing this URL:
  http://example.com/

getNormalizedURL() returns:
  http://@example.com/

This is obviously broken.

Comments

[2013-07-18 22:24 UTC] ross (Ross Perkins)

I forked Net_URL2 on Github, here is a patch that adds the phpunit test showing the 
bug, and also the fix:

https://github.com/vube/php-pear-
Net_URL2/commit/9a2daa17270e1c6a81645d193052e4f871b2e987

[2013-07-19 07:26 UTC] tkli (Tom Klingenberg)

As an empty userinfo part is technically possible (zero-length-string) and in a normalization it should be dropped ("The user information, if present, is followed by a commercial at-sign ("@") that delimits it from the host." 3.2.1.  User Information).

Therefore I would suggest to allow the zero-length userinfo (as it happens here to trigger the flaw) and check with strlen() instead of !== FALSE in getAuthority().


        if (strlen($this->_userinfo)) {
            $authority .= $this->_userinfo . '@';
        }

[2013-07-19 14:36 UTC] tkli (Tom Klingenberg)

Ross, can you please review if Bug and Fix in https://github.com/ktomk/Net_URL2/commits/patch-20013 do the work for you?

My conclusion is that setting an empty string as user information (userinfo in short) shouldn't result in the commercial at-sign ("@") in the first place.

This also addresses the problem adding that @ sign in URL normalization (Net_URL2::getNormalizedURL()).

[2013-07-19 20:30 UTC] ross (Ross Perkins)

Hi Tom, that fix looks good.  It also covers more cases where the bug would have 
been affected.  Nice work.  :)

[2013-07-22 01:09 UTC] tkli (Tom Klingenberg)

PR is: https://github.com/pear/Net_URL2/pull/6

[2013-07-27 09:54 UTC] doconnor (Daniel O'Connor)

-Status:      Open
+Status:      Closed
-Assigned To:
+Assigned To: tkli