From 4568c1d74424e2dcd370e9ee111ff61df2057fef Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Sun, 4 Mar 2007 20:10:51 +0000
Subject: [PATCH] Added URL escaping of user and password when used through the
 UrlWriter

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@6314 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/lib/action_controller/url_rewriter.rb | 2 +-
 actionpack/test/controller/url_rewriter_test.rb  | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/actionpack/lib/action_controller/url_rewriter.rb b/actionpack/lib/action_controller/url_rewriter.rb
index d2b324da96..66b77e405f 100644
--- a/actionpack/lib/action_controller/url_rewriter.rb
+++ b/actionpack/lib/action_controller/url_rewriter.rb
@@ -111,7 +111,7 @@ def rewrite_path(options)
       
       def rewrite_authentication(options)
         if options[:user] && options[:password]
-          "#{options.delete(:user)}:#{options.delete(:password)}@"
+          "#{CGI.escape(options.delete(:user))}:#{CGI.escape(options.delete(:password))}@"
         else
           ""
         end
diff --git a/actionpack/test/controller/url_rewriter_test.rb b/actionpack/test/controller/url_rewriter_test.rb
index 178f44f15f..fb3e318ffd 100644
--- a/actionpack/test/controller/url_rewriter_test.rb
+++ b/actionpack/test/controller/url_rewriter_test.rb
@@ -29,7 +29,14 @@ def test_user_name_and_password
       @rewriter.rewrite(:user => "david", :password => "secret", :controller => 'c', :action => 'a', :id => 'i')
     )
   end
-  
+
+  def test_user_name_and_password_with_escape_codes
+    assert_equal(
+      'http://openid.aol.com%2Fnextangler:one+two%3F@test.host/c/a/i',
+      @rewriter.rewrite(:user => "openid.aol.com/nextangler", :password => "one two?", :controller => 'c', :action => 'a', :id => 'i')
+    )
+  end
+
   def test_overwrite_params
     @params[:controller] = 'hi'
     @params[:action] = 'bye'
-- 
GitLab