Don't include bad password in URI exception output

tenderlove · tenderlove · commit c2cbd5528cd1 · 2016-09-15T21:44:56.000Z
We shouldn't include the bad password in the URI exception output
message.  Just knowing that there is a bad password is enough
information.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56166 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,10 @@
+Fri Sep 16 06:43:25 2016  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* lib/uri/generic.rb (def check_password): don't include bad password
+	  in URI exception output
+
+	* test/uri/test_generic.rb (def test_set_component): test for behavior
+
 Thu Sep 15 21:40:03 2016  Kazuhiro NISHIYAMA  <zn@mbf.nifty.com>
 
 	* doc/extension.ja.rdoc: Fix file name.
diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
@@ -428,7 +428,7 @@ def check_password(v, user = @user)
 
       if parser.regexp[:USERINFO] !~ v
         raise InvalidComponentError,
-          "bad component(expected user component): #{v}"
+          "bad password component"
       end
 
       return true
diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
@@ -749,6 +749,15 @@ def test_set_component
     assert_equal('foo:xyzzy', uri.to_s)
   end
 
+  def test_bad_password_component
+    uri = URI.parse('http://foo:bar@baz')
+    password = 'foo@bar'
+    e = assert_raise(URI::InvalidComponentError) do
+      uri.password = password
+    end
+    refute_match password, e.message
+  end
+
   def test_set_scheme
     uri = URI.parse 'HTTP://example'
 
