From e1d8cf487dd597c95fd52512113f6056fa3f10ba Mon Sep 17 00:00:00 2001
From: Alvar Penning <alvar.penning@icinga.com>
Date: Thu, 9 Apr 2026 13:28:24 +0200
Subject: [PATCH] Url::ParseUserinfo: Actually verify Password

In Url::ParseUserinfo, after extracting the password, ValidateToken is
incorrectly called upon m_Username instead of m_Password. This commit
fixes this and actually verifies the password.

The bug was introduced with the surrounding code in 6571ffc2c8aadd52f2bb6b0f1931e1920761b5b8.

Luckily, this does not seem to have any security impact. However, as
being a bug, this commit now fixes the behavior.
---
 lib/remote/url.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/remote/url.cpp b/lib/remote/url.cpp
index 3779df72ff9..3e3206c0bb5 100644
--- a/lib/remote/url.cpp
+++ b/lib/remote/url.cpp
@@ -266,7 +266,7 @@ bool Url::ParseUserinfo(const String& userinfo)
 	m_Username = Utility::UnescapeString(m_Username);
 	if (pos != String::NPos && pos != userinfo.GetLength() - 1) {
 		m_Password = userinfo.SubStr(pos+1);
-		if (!ValidateToken(m_Username, ACUSERINFO))
+		if (!ValidateToken(m_Password, ACUSERINFO))
 			return false;
 		m_Password = Utility::UnescapeString(m_Password);
 	} else