Bug 1645: Generated session URL has colons in TLS/SSL fingerprint unnecessarily URL-encoded

https://winscp.net/tracker/1645

Source commit: 034c095d71b646a6a812b8d4e70906bec81f5cac

source/core/Common.cpp

@@ -2545,7 +2545,7 @@ UnicodeString __fastcall DecodeUrlChars(UnicodeString S)
   return S;
 }
 //---------------------------------------------------------------------------
-UnicodeString __fastcall DoEncodeUrl(UnicodeString S, bool EncodeSlash)
+UnicodeString __fastcall DoEncodeUrl(UnicodeString S, const UnicodeString & DoNotEncode)
 {
   int Index = 1;
   while (Index <= S.Length())
@@ -2554,7 +2554,7 @@ UnicodeString __fastcall DoEncodeUrl(UnicodeString S, bool EncodeSlash)
     if (IsLetter(C) ||
         IsDigit(C) ||
         (C == L'_') || (C == L'-') || (C == L'.') || (C == L'*') ||
-        ((C == L'/') && !EncodeSlash))
+        (DoNotEncode.Pos(C) > 0))
     {
       Index++;
     }
@@ -2574,14 +2574,14 @@ UnicodeString __fastcall DoEncodeUrl(UnicodeString S, bool EncodeSlash)
   return S;
 }
 //---------------------------------------------------------------------------
-UnicodeString __fastcall EncodeUrlString(UnicodeString S)
+UnicodeString __fastcall EncodeUrlString(UnicodeString S, const UnicodeString & DoNotEncode)
 {
-  return DoEncodeUrl(S, true);
+  return DoEncodeUrl(S, DoNotEncode);
 }
 //---------------------------------------------------------------------------
 UnicodeString __fastcall EncodeUrlPath(UnicodeString S)
 {
-  return DoEncodeUrl(S, false);
+  return DoEncodeUrl(S, L"/");
 }
 //---------------------------------------------------------------------------
 UnicodeString __fastcall AppendUrlParams(UnicodeString AURL, UnicodeString Params)

source/core/Common.h

@@ -107,7 +107,7 @@ bool __fastcall IsLetter(wchar_t Ch);
 bool __fastcall IsDigit(wchar_t Ch);
 bool __fastcall IsHex(wchar_t Ch);
 UnicodeString __fastcall DecodeUrlChars(UnicodeString S);
-UnicodeString __fastcall EncodeUrlString(UnicodeString S);
+UnicodeString __fastcall EncodeUrlString(UnicodeString S, const UnicodeString & DoNotEncode = UnicodeString());
 UnicodeString __fastcall EncodeUrlPath(UnicodeString S);
 UnicodeString __fastcall AppendUrlParams(UnicodeString URL, UnicodeString Params);
 UnicodeString __fastcall ExtractFileNameFromUrl(const UnicodeString & Url);

source/core/SessionData.cpp

@@ -2922,16 +2922,9 @@ UnicodeString __fastcall TSessionData::GenerateSessionUrl(unsigned int Flags)
 
     if (FLAGSET(Flags, sufHostKey) && !HostKey.IsEmpty())
     {
-      UnicodeString S = NormalizeFingerprint(HostKey);
       // Many SHA-256 fingeprints end with an equal sign and we do not really need it to be encoded, so avoid that.
-      if (EndsStr(L"=", S))
-      {
-        S = EncodeUrlString(S.SubString(1, S.Length() - 1)) + L"=";
-      }
-      else
-      {
-        S = EncodeUrlString(S);
-      }
+      // Also colons in TLS/SSL fingerprint do not really need encoding.
+      UnicodeString S = EncodeUrlString(NormalizeFingerprint(HostKey), L"=:");
 
       Url +=
         UnicodeString(UrlParamSeparator) + UrlHostKeyParamName +