Merge branch 'sh-handle-colons-in-url-passwords' into 'master'

Properly handle colons in URL passwords Closes #49080 See merge request gitlab-org/gitlab-ce!20538

Merge branch 'sh-handle-colons-in-url-passwords' into 'master'
Properly handle colons in URL passwords Closes #49080 See merge request gitlab-org/gitlab-ce!20538
c6b67021 · James Lopez · c2a0a3ab · 718a23fd · c6b67021 · c6b67021
Commit c6b67021 authored Jul 11, 2018 by James Lopez
3 changed files
--- a/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml
+++ b/changelogs/unreleased/sh-handle-colons-in-url-passwords.yml
+---
+title: Properly handle colons in URL passwords
+merge_request:
+author:
+type: fixed
--- a/lib/gitlab/url_sanitizer.rb
+++ b/lib/gitlab/url_sanitizer.rb
@@ -58,7 +58,7 @@ module Gitlab
      if raw_credentials.present?
        url.sub!("#{raw_credentials}@", '')

-        user, password = raw_credentials.split(':')
+        user, _, password = raw_credentials.partition(':')
        @credentials ||= { user: user.presence, password: password.presence }
      end


--- a/spec/lib/gitlab/url_sanitizer_spec.rb
+++ b/spec/lib/gitlab/url_sanitizer_spec.rb
@@ -92,6 +92,7 @@ describe Gitlab::UrlSanitizer do
    context 'credentials in URL' do
      where(:url, :credentials) do
        'http://foo:bar@example.com' | { user: 'foo', password: 'bar' }
+        'http://foo:bar:baz@example.com' | { user: 'foo', password: 'bar:baz' }
        'http://:bar@example.com'    | { user: nil,   password: 'bar' }
        'http://foo:@example.com'    | { user: 'foo', password: nil }
        'http://foo@example.com'     | { user: 'foo', password: nil }