httpc: Fix percent-encoding of userinfo in URLs

[sliiser]

According to RFC3986 section-3.2.1, the valid characters for the userinfo component are as follows:

userinfo = *( unreserved / pct-encoded / sub-delims / ":" )

This does not include the "@" character, which must be percent-encoded when it appears in the userinfo component of a URL.

The Basic authentication scheme, as defined in RFC7617, does not restrict the use of any characters except for the colon (":") character in the user id. The colon should not be percent-encoded, it is just not a valid part of the user id.

When the userinfo component from the URL is converted into a Basic Authorization header, then the string is correctly validated, but is not decoded. This means that the percent-encoded characters end up in the Authorization header, which the servers are expected to interpet literally and not as percent-encoded. This results in user ids and passwords containing reserved characters to be misinterpreted by servers and rejected.

This commit ensures that the userinfo component is properly decoded before being used in the Basic Authorization header.

[CLAassistant]

All committers have signed the CLA.

[github-actions[bot]]

CT Test Results

  2 files   22 suites   10m 22s :stopwatch: 349 tests 344 :white_check_mark:  5 :zzz: 0 :x: 619 runs  568 :white_check_mark: 51 :zzz: 0 :x:

Results for commit a0a2b376.

:recycle: This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

• Complete CT logs (Download Logs)
• HTML Documentation (Download HTML Docs)
• Windows Installer

// Erlang/OTP Github Action Bot