HomePhabricator

Reject ambiguous URIs with unescaped "#" or "?" in username/password parts

Authored by epriestley on Apr 10 2017, 4:48 PM.

Description

Reject ambiguous URIs with unescaped "#" or "?" in username/password parts

Summary:
Fixes T12526. These URIs are ambiguous and nonstandard, and different versions of different clients parse them differently.

Instead of trying to get this right across PHP versions, just reject these outright. No normal user will ever expect these to work.

Test Plan: Ran unit tests in PHP 7.1, got clean results. See T12526 for more discussion.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T12526

Differential Revision: https://secure.phabricator.com/D17647