[ruby/uri] Clear user info totally at setting any of authority info

Fix CVE-2025-27221. https://hackerone.com/reports/3221142 https://github.com/ruby/uri/commit/5cec76b9e8
2026-01-26 20:19:19 +00:00 · 2025-07-12 11:51:31 +09:00 · 2025-07-12 11:51:31 +09:00 · d0395bd0ea
commit d0395bd0ea
parent e3d4cb5de5
2 changed files with 16 additions and 9 deletions
--- a/lib/uri/generic.rb
+++ b/lib/uri/generic.rb
@ -186,18 +186,18 @@ module URI

      if arg_check
        self.scheme = scheme
-        self.userinfo = userinfo
        self.hostname = host
        self.port = port
+        self.userinfo = userinfo
        self.path = path
        self.query = query
        self.opaque = opaque
        self.fragment = fragment
      else
        self.set_scheme(scheme)
-        self.set_userinfo(userinfo)
        self.set_host(host)
        self.set_port(port)
+        self.set_userinfo(userinfo)
        self.set_path(path)
        self.query = query
        self.set_opaque(opaque)
@ -511,7 +511,7 @@ module URI
        user, password = split_userinfo(user)
      end
      @user     = user
-      @password = password if password
+      @password = password

      [@user, @password]
    end
@ -522,7 +522,7 @@ module URI
    # See also URI::Generic.user=.
    #
    def set_user(v)
-      set_userinfo(v, @password)
+      set_userinfo(v, nil)
      v
    end
    protected :set_user
@ -639,6 +639,7 @@ module URI
    def host=(v)
      check_host(v)
      set_host(v)
+      set_userinfo(nil)
      v
    end

@ -729,6 +730,7 @@ module URI
    def port=(v)
      check_port(v)
      set_port(v)
+      set_userinfo(nil)
      port
    end

--- a/test/uri/test_generic.rb
+++ b/test/uri/test_generic.rb
@ -283,6 +283,9 @@ class URI::TestGeneric < Test::Unit::TestCase
    u0 = URI.parse('http://new.example.org/path')
    u1 = u.merge('//new.example.org/path')
    assert_equal(u0, u1)
+    u0 = URI.parse('http://other@example.net')
+    u1 = u.merge('//other@example.net')
+    assert_equal(u0, u1)
  end

  def test_route
@ -748,17 +751,18 @@ class URI::TestGeneric < Test::Unit::TestCase
  def test_set_component
    uri = URI.parse('http://foo:bar@baz')
    assert_equal('oof', uri.user = 'oof')
-    assert_equal('http://oof:bar@baz', uri.to_s)
+    assert_equal('http://oof@baz', uri.to_s)
    assert_equal('rab', uri.password = 'rab')
    assert_equal('http://oof:rab@baz', uri.to_s)
    assert_equal('foo', uri.userinfo = 'foo')
-    assert_equal('http://foo:rab@baz', uri.to_s)
+    assert_equal('http://foo@baz', uri.to_s)
    assert_equal(['foo', 'bar'], uri.userinfo = ['foo', 'bar'])
    assert_equal('http://foo:bar@baz', uri.to_s)
    assert_equal(['foo'], uri.userinfo = ['foo'])
-    assert_equal('http://foo:bar@baz', uri.to_s)
+    assert_equal('http://foo@baz', uri.to_s)
    assert_equal('zab', uri.host = 'zab')
-    assert_equal('http://foo:bar@zab', uri.to_s)
+    assert_equal('http://zab', uri.to_s)
+    uri.userinfo = ['foo', 'bar']
    uri.port = ""
    assert_nil(uri.port)
    uri.port = "80"
@ -768,7 +772,8 @@ class URI::TestGeneric < Test::Unit::TestCase
    uri.port = " 080 "
    assert_equal(80, uri.port)
    assert_equal(8080, uri.port = 8080)
-    assert_equal('http://foo:bar@zab:8080', uri.to_s)
+    assert_equal('http://zab:8080', uri.to_s)
+    uri = URI.parse('http://foo:bar@zab:8080')
    assert_equal('/', uri.path = '/')
    assert_equal('http://foo:bar@zab:8080/', uri.to_s)
    assert_equal('a=1', uri.query = 'a=1')