From b27e5ed1f5c96a41ef125f917550434a033a7f7e Mon Sep 17 00:00:00 2001
From: Adam Cooke <me@adamcooke.io>
Date: Wed, 26 Apr 2017 11:41:05 +0100
Subject: [PATCH] escape usernames & passwords when setting the DATABASE_URL

---
 lib/postal/config.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/postal/config.rb b/lib/postal/config.rb
index b40e312..8d926f1 100644
--- a/lib/postal/config.rb
+++ b/lib/postal/config.rb
@@ -1,5 +1,6 @@
 require 'yaml'
 require 'pathname'
+require 'cgi'
 require_relative 'error'
 require_relative 'version'
 
@@ -50,7 +51,7 @@ module Postal
 
   def self.database_url
     if config.main_db
-      "mysql2://#{config.main_db.username}:#{config.main_db.password}@#{config.main_db.host}:#{config.main_db.port}/#{config.main_db.database}?encoding=#{config.main_db.encoding || 'utf8mb4'}"
+      "mysql2://#{CGI.escape(config.main_db.username.to_s)}:#{CGI.escape(config.main_db.password.to_s)}@#{config.main_db.host}:#{config.main_db.port}/#{config.main_db.database}?reconnect=true&encoding=#{config.main_db.encoding || 'utf8mb4'}"
     else
       "mysql2://root@localhost/postal"
     end