diff options
| author | Jonathan Johnson <me@jondavidjohn.com> | 2014-11-26 20:02:25 -0600 |
|---|---|---|
| committer | Trevor Norris <trev.norris@gmail.com> | 2014-12-02 17:24:18 -0800 |
| commit | 61204720361824881aefd64f5bccda7d7be6617a (patch) | |
| tree | c1679aac01a66eaaf316cfd5b63e518f7ef028a7 /test | |
| parent | c4f6c22c2033038c3629bc5c48f0f2346d211378 (diff) | |
| download | node-new-61204720361824881aefd64f5bccda7d7be6617a.tar.gz | |
url: change hostname regex to negate invalid chars
Regarding joyent/node#8520
This changes hostname validation from a whitelist regex approach
to a blacklist regex approach as described in https://url.spec.whatwg.org/#host-parsing.
url.parse misinterpreted `https://good.com+.evil.org/`
as `https://good.com/+.evil.org/`. If we use url.parse to check the
validity of the hostname, the test passes, but in the browser the
user is redirected to the evil.org website.
Diffstat (limited to 'test')
| -rw-r--r-- | test/simple/test-url.js | 36 |
1 files changed, 24 insertions, 12 deletions
diff --git a/test/simple/test-url.js b/test/simple/test-url.js index df72cc6f4e..f12a00dbed 100644 --- a/test/simple/test-url.js +++ b/test/simple/test-url.js @@ -177,32 +177,44 @@ var parseTests = { 'path': '/Y' }, + // + not an invalid host character + // per https://url.spec.whatwg.org/#host-parsing + 'http://x.y.com+a/b/c' : { + 'href': 'http://x.y.com+a/b/c', + 'protocol': 'http:', + 'slashes': true, + 'host': 'x.y.com+a', + 'hostname': 'x.y.com+a', + 'pathname': '/b/c', + 'path': '/b/c' + }, + // an unexpected invalid char in the hostname. - 'HtTp://x.y.cOm*a/b/c?d=e#f g<h>i' : { - 'href': 'http://x.y.com/*a/b/c?d=e#f%20g%3Ch%3Ei', + 'HtTp://x.y.cOm;a/b/c?d=e#f g<h>i' : { + 'href': 'http://x.y.com/;a/b/c?d=e#f%20g%3Ch%3Ei', 'protocol': 'http:', 'slashes': true, 'host': 'x.y.com', 'hostname': 'x.y.com', - 'pathname': '/*a/b/c', + 'pathname': ';a/b/c', 'search': '?d=e', 'query': 'd=e', 'hash': '#f%20g%3Ch%3Ei', - 'path': '/*a/b/c?d=e' + 'path': ';a/b/c?d=e' }, // make sure that we don't accidentally lcast the path parts. - 'HtTp://x.y.cOm*A/b/c?d=e#f g<h>i' : { - 'href': 'http://x.y.com/*A/b/c?d=e#f%20g%3Ch%3Ei', + 'HtTp://x.y.cOm;A/b/c?d=e#f g<h>i' : { + 'href': 'http://x.y.com/;A/b/c?d=e#f%20g%3Ch%3Ei', 'protocol': 'http:', 'slashes': true, 'host': 'x.y.com', 'hostname': 'x.y.com', - 'pathname': '/*A/b/c', + 'pathname': ';A/b/c', 'search': '?d=e', 'query': 'd=e', 'hash': '#f%20g%3Ch%3Ei', - 'path': '/*A/b/c?d=e' + 'path': ';A/b/c?d=e' }, 'http://x...y...#p': { @@ -517,17 +529,17 @@ var parseTests = { 'path': '/' }, - 'http://www.Äffchen.cOm*A/b/c?d=e#f g<h>i' : { - 'href': 'http://www.xn--ffchen-9ta.com/*A/b/c?d=e#f%20g%3Ch%3Ei', + 'http://www.Äffchen.cOm;A/b/c?d=e#f g<h>i' : { + 'href': 'http://www.xn--ffchen-9ta.com/;A/b/c?d=e#f%20g%3Ch%3Ei', 'protocol': 'http:', 'slashes': true, 'host': 'www.xn--ffchen-9ta.com', 'hostname': 'www.xn--ffchen-9ta.com', - 'pathname': '/*A/b/c', + 'pathname': ';A/b/c', 'search': '?d=e', 'query': 'd=e', 'hash': '#f%20g%3Ch%3Ei', - 'path': '/*A/b/c?d=e' + 'path': ';A/b/c?d=e' }, 'http://SÉLIER.COM/' : { |