Most recent version confirmed.

I've setup some tests here to illustrate the issue. After the code snippet some examples with output illustrating the issue will follow.

I firmly believe there's a parser issue here when there's multiple @ symbols in a URI, Demonstrated on case 2, to show it not going to the specified host, but rather the second half of the username if it contains an "@".

Code
alias testUrlGet {
  if (!$sock(phttpd)) { pseudohttpd }
  var %user = user@localhost
  var %pass = pass
  var %host = localhost
  var %path = /some/where
  var %query = some=additional&data=here
  var %URI = $+(http://,%user,:,%pass,@,%host,%path,?,%query)

  echo -s *** Connecting to: %URI
  noop $urlget(%URI,gbi,&Bool,process_UrlGetReturn)
}
alias process_UrlGetReturn {
  var %id = $1 , %BV = $urlget(%id).target

  echo -si2 * url: $urlget(%id).url
  echo -si2 * redirect: $urlget(%id).redirect
  echo -si2 * method: $urlget(%id).method
  echo -si2 * type: $urlget(%id).type
  echo -si2 * target: $urlget(%id).target
  echo -si2 * alias: $urlget(%id).alias
  echo -si2 * id: $urlget(%id).id
  echo -si2 * state: $urlget(%id).state
  echo -si2 * size: $urlget(%id).size
  echo -si2 * resume: $urlget(%id).resume
  echo -si2 * rcvd: $urlget(%id).rcvd
  echo -si2 * time: $urlget(%id).time
  echo -si2 * reply: $urlget(%id).reply

  if ($bvar(%BV,0)) { echo -si2 * Data : $bvar(%BV,1-).text }
}

;========================================================================================
; Fake HTTP for testing...
;========================================================================================

alias pseudohttpd { 
  if (!$window(@PseudoHttpd)) { window -dk @PseudoHttpd -1 -1 640 480 }
  if (!$sock(phttpd)) { socklisten phttpd 80 }
  phttpd.debug *** Listening on 80
}
alias phttpd.debug { echo -i5 @PseudoHttpd $1- }

on *:socklisten:phttpd: {
  var %x = 1 , %sock = phttp. $+ %x
  while ($sock($+(phttp.,%x))) { var %x = %x + 1 , %sock = phttp. $+ %x }
  sockaccept %sock
}
on *:sockread:phttp.*: {
  var %in
  if ($sockerr > 0) { return }
  while ($sock($sockname).rq) {
    sockread -n %in
    if (!$sockbr) { break }
    if (%in != $null) { phttpd.debug -> $+([,$sockname,]) %in }
    if ($regex(%in,/^GET\s/i)) { sockmark $sockname 1 }
    if ($regex(%in,/^Authorization\:\sBasic (.*)/i)) { sockmark $sockname $iif($decode($regml(1),m) === user@localhost:pass,3,2) }
  }
  if ($sock($sockname).mark) {
    var %mark = $v1
    if (%mark == 3) { var %status = 200 , %stext = OK , %msg = Success! }
    else { var %status = 401 , %stext = Unauthorized , %msg = Access to this resource is denied, your client has not supplied the correct authentication. }
    bset -t &out 1 $+(HTTP/1.1 %status %stext,$crlf,Date: $asctime($calc($gmt - $daylight),ddd $+ $chr(44) dd mmm yyyy HH:nn:ss ) GMT,$crlf,Server: localhost,$crlf,Host: localhost,$crlf,WWW-Authenticate: basic realm="mIRC",$crlf,Connection: close,$crlf)
    sockwrite $sockname &out
    bset -ct &out 1 $+(Content-type: text/html,$crlf,$crlf,<h1> %status %stext </h1><hr> %msg)
    sockwrite $sockname &out
    phttpd.debug <- $+([,$sockname,]) %status
  }
}
on *:sockwrite:phttp.*: { if (!$sock($sockname).sq) { sockclose $sockname } }
on *:close:@PseudoHttpd: { sockclose phttp* }

Without any modifications:
/testurlget

Results:
Code
*** Connecting to: http://user@localhost:pass@localhost/some/where?some=additional&data=here
* url: http://user@localhost:pass@localhost/some/where?some=additional&data=here
* redirect:
* method: get
* type: binvar
* target: &Bool
* alias: process_UrlGetReturn
* id: 1031
* state: fail
* size: 0
* resume: 0
* rcvd: 0
* time: 1000
* reply: HTTP/1.1 401 Unauthorized
Date: Wed, 10 Jan 2024 00:08:19 GMT
Server: localhost
Host: localhost
WWW-Authenticate: basic realm="mIRC"
Connection: close
Content-type: text/html

HTTPD Window:
Code
-> [phttp.1] GET /some/where?some=additional&data=here HTTP/1.1
-> [phttp.1] Accept: */*
-> [phttp.1] Accept-Encoding: gzip, deflate
-> [phttp.1] User-Agent: mIRC
-> [phttp.1] Host: localhost
-> [phttp.1] Connection: Keep-Alive
-> [phttp.1] Cache-Control: no-cache
<- [phttp.1] 401
-> [phttp.1] GET /some/where?some=additional&data=here HTTP/1.1
-> [phttp.1] Accept: */*
-> [phttp.1] Accept-Encoding: gzip, deflate
-> [phttp.1] User-Agent: mIRC
-> [phttp.1] Host: localhost
-> [phttp.1] Connection: Keep-Alive
-> [phttp.1] Cache-Control: no-cache
-> [phttp.1] Authorization: Basic dXNlciU0MGxvY2FsaG9zdDpwYXNz
<- [phttp.1] 401

Through whatever reason this one half worked!
We notice that it connects, tries to get, gets a 401, connects again and tries to auth.

somewhere dunno if it's WinINet or in mIRC, it tried to auth with:
Encoded: dXNlciU0MGxvY2FsaG9zdDpwYXNz
Decoded: user%40localhost:pass

so somewhere in this chain it did get percent encoded, but the stored encoded value was never "decoded" before being mimed and sent as a literal... Therefore the base64 is wrong.




It gets more strange!

close or clear the @PseudoHttpd (which shuts down the fake server, or if you cleared it just clears the old log)
Now let's modify the %user on line 4: let's make it user@gmail.com
/testurlget

Results:
Code
*** Connecting to: http://user@gmail.com:pass@localhost/some/where?some=additional&data=here
* url: http://user@gmail.com:pass@localhost/some/where?some=additional&data=here
* redirect:
* method: get
* type: binvar
* target: &Bool
* alias: process_UrlGetReturn
* id: 1032
* state: fail
* size: 1601
* resume: 0
* rcvd: 0
* time: 468
* reply: HTTP/1.1 404 Not Found
Cross-Origin-Resource-Policy: cross-origin
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Wed, 10 Jan 2024 00:14:53 GMT
Server: sffe
Content-Length: 1601
X-XSS-Protection: 0

HTTPD Window:
Code
none! We connected to gmail.com NOT localhost!

Maybe we need to percent encode user:pass? @ = character 64, which is 40 in hex, let's use on line 4: user%40localhost maybe somewhere between mirc and wininet the string to base64 encode gets percent-encoded and decoded whatever.. let's just try it out...

/testurlget

Results:
Code
*** Connecting to: http://user%40localhost:pass@localhost/some/where?some=additional&data=here
* url: http://user%40localhost:pass@localhost/some/where?some=additional&data=here
* redirect:
* method: get
* type: binvar
* target: &Bool
* alias: process_UrlGetReturn
* id: 1033
* state: fail
* size: 0
* resume: 0
* rcvd: 0
* time: 2734
* reply: HTTP/1.1 401 Unauthorized
Date: Wed, 10 Jan 2024 00:17:17 GMT
Server: localhost
Host: localhost
WWW-Authenticate: basic realm="mIRC"
Connection: close
Content-type: text/html

HTTPD Window:
Code
-> [phttp.1] GET /some/where?some=additional&data=here HTTP/1.1
-> [phttp.1] Accept: */*
-> [phttp.1] Accept-Encoding: gzip, deflate
-> [phttp.1] User-Agent: mIRC
-> [phttp.1] Host: localhost
-> [phttp.1] Connection: Keep-Alive
-> [phttp.1] Cache-Control: no-cache
<- [phttp.1] 401
-> [phttp.1] GET /some/where?some=additional&data=here HTTP/1.1
-> [phttp.1] Accept: */*
-> [phttp.1] Accept-Encoding: gzip, deflate
-> [phttp.1] User-Agent: mIRC
-> [phttp.1] Host: localhost
-> [phttp.1] Connection: Keep-Alive
-> [phttp.1] Cache-Control: no-cache
-> [phttp.1] Authorization: Basic dXNlciU0MGxvY2FsaG9zdDpwYXNz
<- [phttp.1] 401

we got back an auth! what is it?
dXNlciU0MGxvY2FsaG9zdDpwYXNz == user%40localhost:pass

ok so we're back to where we started...