diff options
| author | Jonathan Johnson <me@jondavidjohn.com> | 2014-11-26 20:02:25 -0600 |
|---|---|---|
| committer | Bert Belder <bertbelder@gmail.com> | 2014-12-09 17:57:10 +0100 |
| commit | c90eac7e0eefd6b2da62012a7b5bca524fe6cba2 (patch) | |
| tree | 475f36567eb9ca4293e0b7e4ae28bcf146268243 /lib/url.js | |
| parent | f1f511fd22d9a46fd05594e3e8a44c5a2d9feeb0 (diff) | |
| download | android-node-v8-c90eac7e0eefd6b2da62012a7b5bca524fe6cba2.tar.gz android-node-v8-c90eac7e0eefd6b2da62012a7b5bca524fe6cba2.tar.bz2 android-node-v8-c90eac7e0eefd6b2da62012a7b5bca524fe6cba2.zip | |
url: change hostname regex to negate invalid chars
Regarding joyent/node#8520
This changes hostname validation from a whitelist regex approach
to a blacklist regex approach as described in https://url.spec.whatwg.org/#host-parsing.
url.parse misinterpreted `https://good.com+.evil.org/`
as `https://good.com/+.evil.org/`. If we use url.parse to check the
validity of the hostname, the test passes, but in the browser the
user is redirected to the evil.org website.
Diffstat (limited to 'lib/url.js')
| -rw-r--r-- | lib/url.js | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/url.js b/lib/url.js index 56b1be9328..2231ea0ca7 100644 --- a/lib/url.js +++ b/lib/url.js @@ -72,8 +72,9 @@ var protocolPattern = /^([a-z0-9.+-]+:)/i, nonHostChars = ['%', '/', '?', ';', '#'].concat(autoEscape), hostEndingChars = ['/', '?', '#'], hostnameMaxLen = 255, - hostnamePartPattern = /^[a-z0-9A-Z_-]{0,63}$/, - hostnamePartStart = /^([a-z0-9A-Z_-]{0,63})(.*)$/, + hostnamePatternString = '[^' + nonHostChars.join('') + ']{0,63}', + hostnamePartPattern = new RegExp('^' + hostnamePatternString + '$'), + hostnamePartStart = new RegExp('^(' + hostnamePatternString + ')(.*)$'), // protocols that can allow "unsafe" and "unwise" chars. unsafeProtocol = { 'javascript': true, |