From 2dd76ab803b809ab7be2b6881256a6527fd3e11c Mon Sep 17 00:00:00 2001
From: Valeri Karpov <valkar207@gmail.com>
Date: Sat, 25 Mar 2017 17:41:47 -0600
Subject: [PATCH] fix(connection): throw error if username:password includes @
 or :

Re: #5091
---
 lib/connection.js | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/lib/connection.js b/lib/connection.js
index 1cd17c4e44b..c2cd448934a 100644
--- a/lib/connection.js
+++ b/lib/connection.js
@@ -177,6 +177,7 @@ Connection.prototype.config;
 Connection.prototype.open = function(host, database, port, options, callback) {
   var parsed;
   var Promise = PromiseProvider.get();
+  var err;
 
   if (typeof database === 'string') {
     switch (arguments.length) {
@@ -236,7 +237,7 @@ Connection.prototype.open = function(host, database, port, options, callback) {
 
   // make sure we can open
   if (STATES.disconnected !== this.readyState) {
-    var err = new Error('Trying to open unclosed connection.');
+    err = new Error('Trying to open unclosed connection.');
     err.state = this.readyState;
     this.error(err, callback);
     return new Promise.ES6(function(resolve, reject) {
@@ -245,14 +246,16 @@ Connection.prototype.open = function(host, database, port, options, callback) {
   }
 
   if (!host) {
-    this.error(new Error('Missing hostname.'), callback);
+    err = new Error('Missing hostname.');
+    this.error(err, callback);
     return new Promise.ES6(function(resolve, reject) {
       reject(err);
     });
   }
 
   if (!database) {
-    this.error(new Error('Missing database name.'), callback);
+    err = new Error('Missing database name.');
+    this.error(err, callback);
     return new Promise.ES6(function(resolve, reject) {
       reject(err);
     });
@@ -269,7 +272,23 @@ Connection.prototype.open = function(host, database, port, options, callback) {
     // Check hostname for user/pass
   } else if (/@/.test(host) && /:/.test(host.split('@')[0])) {
     host = host.split('@');
+    if (host.length > 2) {
+      err = new Error('Username and password must be URI encoded if they ' +
+        'contain "@", see http://bit.ly/2nRYRyq');
+      this.error(err, callback);
+      return new Promise.ES6(function(resolve, reject) {
+        reject(err);
+      });
+    }
     var auth = host.shift().split(':');
+    if (auth.length > 2) {
+      err = new Error('Username and password must be URI encoded if they ' +
+        'contain ":", see http://bit.ly/2nRYRyq');
+      this.error(err, callback);
+      return new Promise.ES6(function(resolve, reject) {
+        reject(err);
+      });
+    }
     host = host.pop();
     this.user = auth[0];
     this.pass = auth[1];