From 140ab8b26adefd427fedfc32aadf46f47f7f4019 Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <tbzatek@users.sourceforge.net>
Date: Thu, 1 Oct 2009 23:38:59 +0200
Subject: Peoperly escape username and password in URI

This prevent parsing issues and confusion with separators

Fixes bugs #2454128 and #2808177
---
 UConfig.pas               |  4 ++--
 UConnectionProperties.pas |  4 ++--
 UCoreUtils.pas            | 42 ++++++++++++++++++++++++++++++++++++++----
 3 files changed, 42 insertions(+), 8 deletions(-)

diff --git a/UConfig.pas b/UConfig.pas
index 01a47d8..5500093 100644
--- a/UConfig.pas
+++ b/UConfig.pas
@@ -25,8 +25,8 @@ uses Classes, ULocale;
 
 resourcestring
   ConstAppTitle = 'Tux Commander';
-  ConstAboutVersion = '0.6.63-dev';
-  ConstAboutBuildDate = '2009-09-23';
+  ConstAboutVersion = '0.6.64-dev';
+  ConstAboutBuildDate = '2009-10-01';
   
 {$IFDEF FPC}
   {$INCLUDE fpcver.inc}
diff --git a/UConnectionProperties.pas b/UConnectionProperties.pas
index 99dbf9a..9899585 100644
--- a/UConnectionProperties.pas
+++ b/UConnectionProperties.pas
@@ -287,10 +287,10 @@ begin
     if Pos(':', s2) > 0 then begin
       s := Copy(s2, Pos(':', s2) + 1, Length(s2) - Pos(':', s2));
       if s = '' then PasswordEntry.Text := '' else
-      if Pos('*', s) <= 0 then PasswordEntry.Text := s;
+      if Pos('*', s) <= 0 then PasswordEntry.Text := UnEscapeURI(s);
       Delete(s2, Pos(':', s2), Length(s2) - Pos(':', s2) + 1);
     end else PasswordEntry.Text := '';
-    UserNameEntry.Text := s2;
+    UserNameEntry.Text := UnEscapeURI(s2);
   end else ServerEntry.Text := s2;
 
   CurrentURI := MakeURI(False);
diff --git a/UCoreUtils.pas b/UCoreUtils.pas
index fa89eea..d82f657 100644
--- a/UCoreUtils.pas
+++ b/UCoreUtils.pas
@@ -32,6 +32,7 @@ type
 
 const ConstERRSpawn = 26;
       ConstQuotationCharacters = [' ', '"', '''', '(', ')', ':', '&'];
+      ConstURIIllegalCharacters = '%:@/';
 
 function GetErrorString(ErrorNo: integer): string;
 function GetSignalString(SignalNo: integer): string;
@@ -96,6 +97,8 @@ procedure SetupColors;
 
 function ConstructURI(IncludePasswd, HidePasswd: boolean; Protocol, Server, Username, Password, Dir: string): string;
 function URIHidePassword(const SrcURI: string): string;
+function UnEscapeURI(const Str: string): string;
+function EscapeURI(const Str: string; const IllegalChars: string): string;
 
 function StrTotimetDef(const S: string; const Default: time_t): time_t;
 
@@ -838,7 +841,7 @@ begin
   if (libGnomeUI2Handle = nil) or (@gnome_about_new = nil)
     then Application.MessageBox(Format(LANGAboutString, [ConstAboutVersion, ConstAboutBuildDate]))
     else begin
-           AboutBox := gnome_about_new('Tux Commander', nil, 'Copyright © 2008 Tomáš Bžatek',
+           AboutBox := gnome_about_new('Tux Commander', nil, 'Copyright © 2009 Tomáš Bžatek',
                                        PChar(Format(LANGAboutStringGnome, [ConstAboutVersion, ConstAboutBuildDate])),
                                        @Authors, nil, Translations, nil);
            gtk_window_set_transient_for(GTK_WINDOW(AboutBox), GTK_WINDOW(FMain.FWidget));
@@ -1022,10 +1025,10 @@ function ConstructURI(IncludePasswd, HidePasswd: boolean; Protocol, Server, User
 begin
   Result := Protocol + '://';
   if Length(Username) > 0 then begin
-    Result := Result + Username;
+    Result := Result + EscapeURI(Username, ConstURIIllegalCharacters);
     if (Length(Password) > 0) and IncludePasswd then begin
-      if HidePasswd then Result := Result + ':' + StringOfChar('*', Length(Password))
-                    else Result := Result + ':' + Password;
+      if HidePasswd then Result := Result + ':' + StringOfChar('*', Length(EscapeURI(Password, ConstURIIllegalCharacters)))
+                    else Result := Result + ':' + EscapeURI(Password, ConstURIIllegalCharacters);
     end;
     Result := Result + '@';
   end;
@@ -1057,6 +1060,37 @@ begin
     end;
 end;
 
+(********************************************************************************************************************************)
+function UnEscapeURI(const Str: string): string;
+var i: integer;
+begin
+  Result := '';
+  if Length(Str) > 0 then begin
+    i := 1;
+    while i <= Length(Str) do begin
+      if (Str[i] = '%') and (i <= Length(Str) - 2) then begin
+        Result := Result + Chr(StrToInt('$' + Copy(Str, i + 1, 2)));
+        Inc(i, 3);
+      end else begin
+        Result := Result + Str[i];
+        Inc(i);
+      end;
+    end;
+  end;
+end;
+
+function EscapeURI(const Str: string; const IllegalChars: string): string;
+var i: integer;
+begin
+  Result := '';
+  if Length(Str) > 0 then
+    for i := 1 to Length(Str) do begin
+      if (Ord(Str[i]) >= $80) or (Pos(Str[i], IllegalChars) > 0)
+        then Result := Result + '%' + IntToHex(Ord(Str[i]), 2)
+        else Result := Result + Str[i];
+    end;
+end;
+
 (********************************************************************************************************************************)
 procedure DebugMsg(Params: array of const);
 var
-- 
cgit v1.2.3