diff options
| author | Myles Borins <myles.borins@gmail.com> | 2017-10-26 22:35:25 -0400 |
|---|---|---|
| committer | Myles Borins <myles.borins@gmail.com> | 2017-10-29 21:32:15 -0400 |
| commit | ace4fe566fc3af4876c7458f983feeb5eae3df26 (patch) | |
| tree | 458d847e9bd56199cd0d8b34cec126c7410fb6ca /deps/npm/node_modules/request/node_modules/tough-cookie/lib/cookie.js | |
| parent | 64168eb9b43e30e4c0b986c9b29c41be63e85df6 (diff) | |
| download | android-node-v8-ace4fe566fc3af4876c7458f983feeb5eae3df26.tar.gz android-node-v8-ace4fe566fc3af4876c7458f983feeb5eae3df26.tar.bz2 android-node-v8-ace4fe566fc3af4876c7458f983feeb5eae3df26.zip | |
deps: update npm to 5.5.1
Closes: https://github.com/nodejs/node/pull/16280
PR-URL: https://github.com/nodejs/node/pull/16509
Fixes: https://github.com/nodejs/node/issues/14161
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaƫl Zasso <targos@protonmail.com>
Diffstat (limited to 'deps/npm/node_modules/request/node_modules/tough-cookie/lib/cookie.js')
| -rw-r--r-- | deps/npm/node_modules/request/node_modules/tough-cookie/lib/cookie.js | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/deps/npm/node_modules/request/node_modules/tough-cookie/lib/cookie.js b/deps/npm/node_modules/request/node_modules/tough-cookie/lib/cookie.js index c3dacfe44a..ccf941f841 100644 --- a/deps/npm/node_modules/request/node_modules/tough-cookie/lib/cookie.js +++ b/deps/npm/node_modules/request/node_modules/tough-cookie/lib/cookie.js @@ -53,16 +53,20 @@ var COOKIE_OCTETS = new RegExp('^'+COOKIE_OCTET.source+'+$'); var CONTROL_CHARS = /[\x00-\x1F]/; +// For COOKIE_PAIR and LOOSE_COOKIE_PAIR below, the number of spaces has been +// restricted to 256 to side-step a ReDoS issue reported here: +// https://github.com/salesforce/tough-cookie/issues/92 + // Double quotes are part of the value (see: S4.1.1). // '\r', '\n' and '\0' should be treated as a terminator in the "relaxed" mode // (see: https://github.com/ChromiumWebApps/chromium/blob/b3d3b4da8bb94c1b2e061600df106d590fda3620/net/cookies/parsed_cookie.cc#L60) // '=' and ';' are attribute/values separators // (see: https://github.com/ChromiumWebApps/chromium/blob/b3d3b4da8bb94c1b2e061600df106d590fda3620/net/cookies/parsed_cookie.cc#L64) -var COOKIE_PAIR = /^(([^=;]+))\s*=\s*([^\n\r\0]*)/; +var COOKIE_PAIR = /^(([^=;]+))\s{0,256}=\s*([^\n\r\0]*)/; // Used to parse non-RFC-compliant cookies like '=abc' when given the `loose` // option in Cookie.parse: -var LOOSE_COOKIE_PAIR = /^((?:=)?([^=;]*)\s*=\s*)?([^\n\r\0]*)/; +var LOOSE_COOKIE_PAIR = /^((?:=)?([^=;]*)\s{0,256}=\s*)?([^\n\r\0]*)/; // RFC6265 S4.1.1 defines path value as 'any CHAR except CTLs or ";"' // Note ';' is \x3B @@ -1206,6 +1210,7 @@ CookieJar.prototype._importCookies = function(serialized, cb) { if (!cookies || !Array.isArray(cookies)) { return cb(new Error('serialized jar has no cookies array')); } + cookies = cookies.slice(); // do not modify the original function putNext(err) { if (err) { |