cURL / Mailing Lists / curl-library / Single Mail


RE: URL with @ in passwords

From: Darrick Brown <>
Date: Thu, 29 Jul 2004 16:19:49 -0700

The correct URL format is:

As far as I can tell, the problem is the input, not curl. If your
script/application properly formats the URL, curl will parse it apart
properly. I've never had a problem with curl failing to parse a properly
formed URL correctly.

It's important to understand that URL's/URI's are *not* strings. They are
data structures that contain scheme, host, port, path, query, fragment,
username, and password data items. They are serialized into string format
for transmission or display. The various characters that the URI syntax
uses ('/', '@', '#', '?', etc.) are reserved for separating the different
data segments of the URI. If you have a character that conflicts with the
syntax of the URI, it must be %hex escaped. In this case, all '@'
characters other than the '@' that separates the password from the host must
be %hex escaped, else they will cause ambiguous parsing like you have
encountered. When your script/application assembles the URL in string
format, it needs to do so by escaping any conflicting characters.

The URI RFC ( makes for great bedtime
reading (zzzz...) and should answer most questions of this nature.

 - Darrick


-----Original Message-----
[] On Behalf Of Gisle Vanem
Sent: Friday, July 30, 2004 7:34 AM
To: libcurl development
Subject: Re: URL with @ in passwords

"Daniel Stenberg" <> wrote:

> > Could a url like this be legalised?
> >
> >> curl -v
> It could possibly be dealt with, if we made the parser scan for the
> _last_ @-letter to terminate the password instead of having the
> _first_ @-letter found do it.

You mean the last '@' before the file part? So an URL

would work.

Man, this is getting complicated doing in C. I think I once suggested using
liburi or a generated scanner for this. I have some half-finished url-parser
done with GNU flex if you'd care to look at it.

Received on 2004-07-30