valyala · erikdubbelboer · Oct 5, 2025 · Sep 28, 2025 · Copilot · Sep 28, 2025
diff --git a/uri.go b/uri.go
@@ -298,8 +298,11 @@ func (u *URI) parse(host, uri []byte, isTLS bool) error {
 		u.SetSchemeBytes(strHTTPS)
 	}
 
-	if n := bytes.IndexByte(host, '@'); n >= 0 {
+	if n := bytes.LastIndexByte(host, '@'); n >= 0 {
 		auth := host[:n]
+		if !validUserinfo(auth) {
+			return ErrorInvalidURI
+		}
 		host = host[n+1:]
 
 		if n := bytes.IndexByte(auth, ':'); n >= 0 {
@@ -356,6 +359,26 @@ func (u *URI) parse(host, uri []byte, isTLS bool) error {
 	return nil
 }
 
+func validUserinfo(userinfo []byte) bool {
+	for _, c := range userinfo {
+		switch {
-func validUserinfo(userinfo []byte) bool {
-	for _, c := range userinfo {
-		switch {
+// validUserinfo checks whether the provided userinfo byte slice contains only valid characters
+// as specified by RFC 3986 section 3.2.1. The userinfo component may contain unreserved characters
+// (A-Z, a-z, 0-9, '-', '.', '_', '~'), sub-delimiters ('!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '='), 
+// as well as ':' and '@'. Percent-encoded characters ('%') are also allowed.
+//
+// Security considerations: Proper validation of userinfo is important to prevent injection attacks
+// or misinterpretation of URIs. This function ensures that only valid characters are accepted.
+func validUserinfo(userinfo []byte) bool {
+	for _, c := range userinfo {
-func validUserinfo(userinfo []byte) bool {
-	for _, c := range userinfo {
-		switch {
+// validUserinfo checks whether the provided userinfo byte slice contains only valid characters
+// as specified by RFC 3986 section 3.2.1. The userinfo component may contain unreserved characters
+// (A-Z, a-z, 0-9, '-', '.', '_', '~'), sub-delimiters ('!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '='), 
+// as well as ':' and '@'. Percent-encoded characters ('%') are also allowed.
+//
+// Security considerations: Proper validation of userinfo is important to prevent injection attacks
+// or misinterpretation of URIs. This function ensures that only valid characters are accepted.
+func validUserinfo(userinfo []byte) bool {
+	for _, c := range userinfo {
+		case 'A' <= c && c <= 'Z':
+			continue
+		case 'a' <= c && c <= 'z':
+			continue
+		case '0' <= c && c <= '9':
+			continue
+		}
+		switch c {
+		case '-', '.', '_', ':', '~', '!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '=', '%', '@':
+			continue
+		default:
+			return false
+		}
+	}
+	return true
+}
+
 // parseHost parses host as an authority without user
 // information. That is, as host[:port].
 //

diff --git a/uri_test.go b/uri_test.go
@@ -151,6 +151,44 @@ func testURIUpdate(t *testing.T, base, update, result string) {
 	}
 }
 
+func TestURIRejectInvalidUserinfo(t *testing.T) {
+	t.Parallel()
+
+	bad := []string{
+		"http://[normal.com@]vulndetector.com/",
+		"http://normal.com[user@vulndetector].com/",
+		"http://normal.com[@]vulndetector.com/",
+	}
+
+	for _, raw := range bad {
+		var u URI
+		if err := u.Parse(nil, []byte(raw)); err == nil {
+			t.Fatalf("expected error parsing %q", raw)
+		}
+	}
+}
+
+func TestURIAllowAtInUserinfo(t *testing.T) {
+	t.Parallel()
+
+	var u URI
+	if err := u.Parse(nil, []byte("http://user:p@[email protected]/")); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if got := string(u.Host()); got != "example.com" {
+		t.Fatalf("unexpected host %q", got)
+	}
+
+	if got := string(u.Username()); got != "user" {
+		t.Fatalf("unexpected username %q", got)
+	}
+
+	if got := string(u.Password()); got != "p@ss" {
+		t.Fatalf("unexpected password %q", got)
+	}
+}
+
 func TestURIPathNormalize(t *testing.T) {
 	if runtime.GOOS == "windows" {
 		t.SkipNow()