summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Trott <rtrott@gmail.com>2022-03-07 21:00:06 -0800
committerGitHub <noreply@github.com>2022-03-08 05:00:06 +0000
commit7e1e56ac783330fef02e27b0f306abe0cfb744ed (patch)
treedefeaa5974f72c1fecb9418c8f9953abf872371f
parent60d5eed4e8718c1d1c55ad72e830b4dfbc13b151 (diff)
downloadnode-new-7e1e56ac783330fef02e27b0f306abe0cfb744ed.tar.gz
url: trim leading and trailing C0 control chars
Emulate the WHATWHG URL parse behavior of trimming leading and trailing C0 control characters. This moves url.parse() slightly closer to WHATWHG URL behavior. The current behavior is possibly insecure for some uses. (The url.parse() API is marked as Legacy and the documentation specifically says it has known bugs and insecure behaviors. Still this change makes a lot of sense.) This issue was reported by P0cas. https://github.com/P0cas PR-URL: https://github.com/nodejs/node/pull/42196 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Mestery <mestery@protonmail.com> Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
-rw-r--r--lib/url.js7
-rw-r--r--test/parallel/test-url-parse-format.js15
2 files changed, 16 insertions, 6 deletions
diff --git a/lib/url.js b/lib/url.js
index 63d24bef7b..06321eecfa 100644
--- a/lib/url.js
+++ b/lib/url.js
@@ -117,7 +117,6 @@ const {
CHAR_TAB,
CHAR_CARRIAGE_RETURN,
CHAR_LINE_FEED,
- CHAR_FORM_FEED,
CHAR_NO_BREAK_SPACE,
CHAR_ZERO_WIDTH_NOBREAK_SPACE,
CHAR_HASH,
@@ -196,11 +195,7 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
const code = url.charCodeAt(i);
// Find first and last non-whitespace characters for trimming
- const isWs = code === CHAR_SPACE ||
- code === CHAR_TAB ||
- code === CHAR_CARRIAGE_RETURN ||
- code === CHAR_LINE_FEED ||
- code === CHAR_FORM_FEED ||
+ const isWs = code < 33 ||
code === CHAR_NO_BREAK_SPACE ||
code === CHAR_ZERO_WIDTH_NOBREAK_SPACE;
if (start === -1) {
diff --git a/test/parallel/test-url-parse-format.js b/test/parallel/test-url-parse-format.js
index a4bb141b49..3914c13548 100644
--- a/test/parallel/test-url-parse-format.js
+++ b/test/parallel/test-url-parse-format.js
@@ -992,6 +992,21 @@ const parseTests = {
path: '/',
href: 'http://localhost/',
},
+
+ '\bhttp://example.com/\b': {
+ protocol: 'http:',
+ slashes: true,
+ auth: null,
+ host: 'example.com',
+ port: null,
+ hostname: 'example.com',
+ hash: null,
+ search: null,
+ query: null,
+ pathname: '/',
+ path: '/',
+ href: 'http://example.com/'
+ }
};
for (const u in parseTests) {