correctly sanitise user info parameters

filecage · filecage · commit d67f0515ec3d · 2023-06-02T15:49:48.000+02:00
diff --git a/src/Actions/Parse.php b/src/Actions/Parse.php
@@ -10,10 +10,38 @@
      * @internal
      */
     final class Parse {
+
+        /**
+         * Unreserved characters for use in a regex.
+         *
+         * @see https://tools.ietf.org/html/rfc3986#section-2.3
+         */
+        private const CHAR_UNRESERVED = 'a-zA-Z0-9_\-\.~';
+
+        /**
+         * Sub-delims for use in a regex.
+         *
+         * @see https://tools.ietf.org/html/rfc3986#section-2.2
+         */
+        private const CHAR_SUB_DELIMS = '!\$&\'\(\)\*\+,;=';
+
         static function parseHost (string $host) : string {
             return strtolower($host);
         }
 
+        static function parseUserInfo (?string $userInfo) : ?string {
+            if ($userInfo === null) {
+                return null;
+            }
+
+            // Taken from https://github.com/guzzle/psr7/blob/815698d9f11c908bc59471d11f642264b533346a/src/Uri.php#L592-L603
+            return preg_replace_callback(
+                '/(?:[^%'.self::CHAR_UNRESERVED.self::CHAR_SUB_DELIMS.']+|%(?![A-Fa-f0-9]{2}))/',
+                fn(array $match) => rawurlencode($match[0]),
+                $userInfo
+            );
+        }
+
         static function parsePath (string $path) : Path {
             return Path::createFromString($path);
         }
diff --git a/src/Uri.php b/src/Uri.php
@@ -48,6 +48,8 @@ function __construct (string|Stringable|null $uri) {
                     Component::HOST => $this->host = Parse::parseHost($value),
                     Component::PATH => $this->path = Parse::parsePath($value),
                     Component::QUERY => $this->query = Parse::parseQuery($value),
+                    Component::USER => $this->user = Parse::parseUserInfo($value),
+                    Component::PASS => $this->pass = Parse::parseUserInfo($value),
                     default => $this->$component = $value
                 };
             }
@@ -266,8 +268,8 @@ function withUserInfo ($user, $password = null) : static {
             }
 
             $instance = clone $this;
-            $instance->user = ($user !== '') ? $user : null;
-            $instance->pass = ($password !== '') ? $password : null;
+            $instance->user = ($user !== '') ? Parse::parseUserInfo($user) : null;
+            $instance->pass = ($password !== '') ? Parse::parseUserInfo($password) : null;
 
             return $instance;
         }

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,8 @@ function __construct (string\|Stringable\|null $uri) {`
`48`	`48`	`Component::HOST => $this->host = Parse::parseHost($value),`
`49`	`49`	`Component::PATH => $this->path = Parse::parsePath($value),`
`50`	`50`	`Component::QUERY => $this->query = Parse::parseQuery($value),`
	`51`	`+ Component::USER => $this->user = Parse::parseUserInfo($value),`
	`52`	`+ Component::PASS => $this->pass = Parse::parseUserInfo($value),`
`51`	`53`	`default => $this->$component = $value`
`52`	`54`	`};`
`53`	`55`	`}`
`@@ -266,8 +268,8 @@ function withUserInfo ($user, $password = null) : static {`
`266`	`268`	`}`
`267`	`269`
`268`	`270`	`$instance = clone $this;`
`269`		`- $instance->user = ($user !== '') ? $user : null;`
`270`		`- $instance->pass = ($password !== '') ? $password : null;`
	`271`	`+ $instance->user = ($user !== '') ? Parse::parseUserInfo($user) : null;`
	`272`	`+ $instance->pass = ($password !== '') ? Parse::parseUserInfo($password) : null;`
`271`	`273`
`272`	`274`	`return $instance;`
`273`	`275`	`}`