On Tue, Jun 04, 2019 at 01:02:43AM +0000, brian m. carlson wrote: > It looks like several of the places we do this are in the credential > manager code, and I think I can agree that usernames and passwords > should not contain NUL characters (for Basic auth, RFC 7617 prohibits > it). It also seems that the credential code decodes the path parameter > before passing it on, which is unfortunate, but can't be changed for > backward compatibility reasons. > > And then the other instances are a file: URL in remote-testsvn.c and > query parameters that have no reason to contain NULs in http-backend.c. OK. Good to know that there is no justification to support %00 in URLs. > So I think overall this is fine, although we probably want to change the > commit summary to say "NUL" instead of "NULL". Applied for the next roll-up. Thank you for taking a look.
