diff options
author | Ben Noordhuis <info@bnoordhuis.nl> | 2013-04-12 15:54:31 +0200 |
---|---|---|
committer | isaacs <i@izs.me> | 2013-04-12 16:27:50 -0700 |
commit | 38149bb048d9833cc3cf9a13cbff5300fbed36ef (patch) | |
tree | 672d6ed175fb30127285f8bb6f28cefb94aa8c50 /lib/http.js | |
parent | 881ef7cc5fc897cca2f2f0a512e59111ff5a6cd8 (diff) | |
download | android-node-v8-38149bb048d9833cc3cf9a13cbff5300fbed36ef.tar.gz android-node-v8-38149bb048d9833cc3cf9a13cbff5300fbed36ef.tar.bz2 android-node-v8-38149bb048d9833cc3cf9a13cbff5300fbed36ef.zip |
http: escape unsafe characters in request path
Make http.request() and friends escape unsafe characters in the request
path. That is, a request for '/foo bar' is now escaped as '/foo%20bar'.
Before this commit, the path was used as-is in the request status line,
creating an invalid HTTP request ("GET /foo bar HTTP/1.1").
Fixes #4381.
Diffstat (limited to 'lib/http.js')
-rw-r--r-- | lib/http.js | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/http.js b/lib/http.js index ac6b1c6bf7..f6a9b7d4f6 100644 --- a/lib/http.js +++ b/lib/http.js @@ -1774,6 +1774,11 @@ ClientRequest.prototype.clearTimeout = function(cb) { exports.request = function(options, cb) { if (typeof options === 'string') { options = url.parse(options); + } else if (options && options.path) { + options = util._extend({}, options); + options.path = encodeURI(options.path); + // encodeURI() doesn't escape quotes while url.parse() does. Fix up. + options.path = options.path.replace(/'/g, '%27'); } if (options.protocol && options.protocol !== 'http:') { |