begin <= end (4 <= 2) when slicing a://a in Url::username

[mateon1]

Found by fuzzing.

let url = Url::parse("a:/a/..//a").unwrap()
url.username(); // panic

thread 'main' panicked at 'begin <= end (4 <= 2) when slicing `a://a`', /checkout/src/libcore/str/mod.rs:2179:4
stack backtrace:
   0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace
             at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1: std::sys_common::backtrace::_print
             at /checkout/src/libstd/sys_common/backtrace.rs:71
   2: std::panicking::default_hook::{{closure}}
             at /checkout/src/libstd/sys_common/backtrace.rs:60
             at /checkout/src/libstd/panicking.rs:381
   3: std::panicking::default_hook
             at /checkout/src/libstd/panicking.rs:397
   4: std::panicking::rust_panic_with_hook
             at /checkout/src/libstd/panicking.rs:577
   5: std::panicking::begin_panic
             at /checkout/src/libstd/panicking.rs:538
   6: std::panicking::begin_panic_fmt
             at /checkout/src/libstd/panicking.rs:522
   7: rust_begin_unwind
             at /checkout/src/libstd/panicking.rs:498
   8: core::panicking::panic_fmt
             at /checkout/src/libcore/panicking.rs:71
   9: core::str::slice_error_fail
             at /checkout/src/libcore/str/mod.rs:2179
  10: core::str::traits::<impl core::slice::SliceIndex<str> for core::ops::range::Range<usize>>::index::{{closure}}
             at /checkout/src/libcore/str/mod.rs:1850
  11: <core::option::Option<T>>::unwrap_or_else
             at /checkout/src/libcore/option.rs:370
  12: core::str::traits::<impl core::slice::SliceIndex<str> for core::ops::range::Range<usize>>::index
             at /checkout/src/libcore/str/mod.rs:1850
  13: core::str::traits::<impl core::ops::index::Index<core::ops::range::Range<usize>> for str>::index
             at /checkout/src/libcore/str/mod.rs:1624
  14: <core::ops::range::Range<u32> as url::RangeArg>::slice_of
             at src/lib.rs:2160
  15: url::Url::slice
             at src/lib.rs:2066
  16: url::Url::username
             at src/lib.rs:705
  17: testurl::test
             at ./testurl.rs:14
  18: testurl::main
             at ./testurl.rs:38
  19: __rust_maybe_catch_panic
             at /checkout/src/libpanic_unwind/lib.rs:99
  20: std::rt::lang_start
             at /checkout/src/libstd/panicking.rs:459
             at /checkout/src/libstd/panic.rs:361
             at /checkout/src/libstd/rt.rs:59
  21: main
  22: __libc_start_main
  23: _start

[windwarrior]

I have tried (and so far failed) to find and fix this issue, here is what I have found:

The variable username_end is set here to 2, and the parser (I think) rightfully assumes that this URL has no authority. The remainder of the URL is parsed as a path in which some form of truncation happens to a://a.

The problem now is that the (truncated) URL is a://a, which is considered an URL with authority in has_authority since the truncated URL does start (after the scheme) with ://. The username function then attempts to extract this username, but username_end is set to 2 because the parser didn't think there was an autorithy section in this URL.

I think its a mismatch between parser and lib code, the former thinking there is no authority section and the latter thinking there is, but have too limited of an understanding of the codebase to decide which of the two is in the wrong. I do hope however that my little bughunt helps you solve the issue!

Furthermore, I have found that the testcase presented in this issue is not minimal, the url a:/..// also crashes for similar reasons.

[qsantos]

It looks like this was resolved by 9aac190 or #655 by @djc