Missing test regarding `UriInterface#withUserInfo` and passwords containing invalid URL characters

[boesing]

PHP version: ANY

Description

I recently had an issue with a PSR-7 implementation which does not urlencode passwords when passed to UriInterface#withUri.
At least ext-curl has problems with some characters (not all) when used within the username and/or password.

How to reproduce

$uri = $uri->withScheme('http');
$uri = $uri->withHost('example.org');
$uri = $uri->withUserInfo('username', 'password#');

echo (string) $uri; // http://username:password#@example.org => when used with curl, curl error 3 malformed uri

I do not expect usernames to work with special characters, but having secure passwords usually contain one or more special characters (including #) which do definitely lead to curl error 3 malformed uri.

Possible Solution

I'd prefer an integration test which verifies that (at least passwords) UriInterface#withUserInfo uses urlencode to encode user info.

Additional context

Adding a Screenshot from XDEBUG having the issue with the # inside the userInfo (which is not urlencoded) along with the errno which guzzle adds to the EasyHandle after executing the request.

[dbu]

i propose here that psr7 should specify this behaviour (for both username and password, the http client should not make assumptions about what a valid username is).

do you want to do the pull request to add some tests for the behaviour of withUserInfo to the integration tests?

[boesing]

Do we want to wait until we have a proper decision or should we add a test which passes laminas, slim, guzzle logic?

[dbu]

lets add some tests, also for the weird situations like foo%3Abar:baz. that might also help for the fig discussion to see it illustrated what happens.