More correctly handle username and password in FtpNetworkTransaction.

- prevent newline injection attacks
- correctly unescape credentials provided in the URL

TEST=Covered by net_unittests.
http://crbug.com/20336

Review URL: http://codereview.chromium.org/183046

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26305 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 1 insertions, 83 deletions

diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index 1c39524..8fd0700 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -1808,7 +1808,7 @@ bool HttpNetworkTransaction::SelectNextAuthIdentityToTry(
     auth_identity_[target].source = HttpAuth::IDENT_SRC_URL;
     auth_identity_[target].invalid = false;
     // Extract the username:password from the URL.
-    GetIdentifyFromUrl(request_->url,
+    GetIdentityFromURL(request_->url,
                        &auth_identity_[target].username,
                        &auth_identity_[target].password);
     embedded_identity_used_ = true;
@@ -1848,15 +1848,6 @@ bool HttpNetworkTransaction::SelectNextAuthIdentityToTry(
   return false;
 }
 
-// static
-void HttpNetworkTransaction::GetIdentifyFromUrl(const GURL& url,
-                                                std::wstring* username,
-                                                std::wstring* password) {
-  UnescapeRule::Type flags = UnescapeRule::SPACES;
-  *username = UnescapeAndDecodeUTF8URLComponent(url.username(), flags);
-  *password = UnescapeAndDecodeUTF8URLComponent(url.password(), flags);
-}
-
 std::string HttpNetworkTransaction::AuthChallengeLogMessage() const {
   std::string msg;
   std::string header_val;
diff --git a/net/http/http_network_transaction.h b/net/http/http_network_transaction.h
index 7a0d635..d3b114d 100644
--- a/net/http/http_network_transaction.h
+++ b/net/http/http_network_transaction.h
@@ -62,8 +62,6 @@ class HttpNetworkTransaction : public HttpTransaction {
 
  private:
   FRIEND_TEST(HttpNetworkTransactionTest, ResetStateForRestart);
-  FRIEND_TEST(HttpNetworkTransactionTest, GetIdentifyFromUrl);
-  FRIEND_TEST(HttpNetworkTransactionTest, GetIdentifyFromUrl_UTF8);
 
   // This version of IOBuffer lets us use a string as the real storage and
   // "move" the data pointer inside the string before using it to do actual IO.
@@ -263,12 +261,6 @@ class HttpNetworkTransaction : public HttpTransaction {
   // was found.
   bool SelectNextAuthIdentityToTry(HttpAuth::Target target);
 
-  // Extract the unescaped username/password from |url|, saving the results
-  // into |*username| and |*password|.
-  static void GetIdentifyFromUrl(const GURL& url,
-                                 std::wstring* username,
-                                 std::wstring* password);
-
   // Searches the auth cache for an entry that encompasses the request's path.
   // If such an entry is found, updates auth_identity_[target] and
   // auth_handler_[target] with the cache entry's data and returns true.
diff --git a/net/http/http_network_transaction_unittest.cc b/net/http/http_network_transaction_unittest.cc
index dbe14e7..32185c4 100644
--- a/net/http/http_network_transaction_unittest.cc
+++ b/net/http/http_network_transaction_unittest.cc
@@ -3676,69 +3676,4 @@ TEST_F(HttpNetworkTransactionTest, BypassHostCacheOnRefresh) {
   EXPECT_EQ(ERR_NAME_NOT_RESOLVED, rv);
 }
 
-TEST_F(HttpNetworkTransactionTest, GetIdentifyFromUrl) {
-  struct {
-    const char* input_url;
-    const wchar_t* expected_username;
-    const wchar_t* expected_password;
-  } tests[] = {
-    {
-      "http://username:password@google.com",
-      L"username",
-      L"password",
-    },
-    { // Test for http://crbug.com/19200
-      "http://username:p@ssword@google.com",
-      L"username",
-      L"p@ssword",
-    },
-    { // Username contains %20.
-      "http://use rname:password@google.com",
-      L"use rname",
-      L"password",
-    },
-    { // Keep %00 as is.
-      "http://use%00rname:password@google.com",
-      L"use%00rname",
-      L"password",
-    },
-    { // Use a '+' in the username.
-      "http://use+rname:password@google.com",
-      L"use+rname",
-      L"password",
-    },
-    { // Use a '&' in the password.
-      "http://username:p&ssword@google.com",
-      L"username",
-      L"p&ssword",
-    },
-  };
-  for (size_t i = 0; i < ARRAYSIZE_UNSAFE(tests); ++i) {
-    SCOPED_TRACE(StringPrintf("Test[%d]: %s", i, tests[i].input_url));
-    GURL url(tests[i].input_url);
-
-    std::wstring username, password;
-    HttpNetworkTransaction::GetIdentifyFromUrl(url, &username, &password);
-
-    EXPECT_EQ(tests[i].expected_username, username);
-    EXPECT_EQ(tests[i].expected_password, password);
-  }
-}
-
-// Try extracting a username which was encoded with UTF8.
-TEST_F(HttpNetworkTransactionTest, GetIdentifyFromUrl_UTF8) {
-  GURL url(WideToUTF16(L"http://foo:\x4f60\x597d@blah.com"));
-
-  EXPECT_EQ("foo", url.username());
-  EXPECT_EQ("%E4%BD%A0%E5%A5%BD", url.password());
-
-  // Extract the unescaped identity.
-  std::wstring username, password;
-  HttpNetworkTransaction::GetIdentifyFromUrl(url, &username, &password);
-
-  // Verify that it was decoded as UTF8.
-  EXPECT_EQ(L"foo", username);
-  EXPECT_EQ(L"\x4f60\x597d", password);
-}
-
 }  // namespace net