url: decode url entities in auth section

Fixes #2736.

1 files changed, 7 insertions, 8 deletions

diff --git a/lib/url.js b/lib/url.js
index 4f1c0e0e9c..8608a53fd8 100644
--- a/lib/url.js
+++ b/lib/url.js
@@ -135,19 +135,21 @@ function urlParse(url, parseQueryString, slashesDenoteHost) {
     // URLs are obnoxious.
     var atSign = rest.indexOf('@');
     if (atSign !== -1) {
+      var auth = rest.slice(0, atSign);
+
       // there *may be* an auth
       var hasAuth = true;
       for (var i = 0, l = nonAuthChars.length; i < l; i++) {
-        var index = rest.indexOf(nonAuthChars[i]);
-        if (index !== -1 && index < atSign) {
+        if (auth.indexOf(nonAuthChars[i]) !== -1) {
           // not a valid auth.  Something like http://foo.com/bar@baz/
           hasAuth = false;
           break;
         }
       }
+
       if (hasAuth) {
         // pluck off the auth portion.
-        out.auth = rest.substr(0, atSign);
+        out.auth = decodeURIComponent(auth);
         rest = rest.substr(atSign + 1);
       }
     }
@@ -329,11 +331,8 @@ function urlFormat(obj) {
 
   var auth = obj.auth || '';
   if (auth) {
-    auth = auth.split('@').join('%40');
-    for (var i = 0, l = nonAuthChars.length; i < l; i++) {
-      var nAC = nonAuthChars[i];
-      auth = auth.split(nAC).join(encodeURIComponent(nAC));
-    }
+    auth = encodeURIComponent(auth);
+    auth = auth.replace(/%3A/i, ':');
     auth += '@';
   }