From c90eac7e0eefd6b2da62012a7b5bca524fe6cba2 Mon Sep 17 00:00:00 2001
From: Jonathan Johnson <me@jondavidjohn.com>
Date: Wed, 26 Nov 2014 20:02:25 -0600
Subject: url: change hostname regex to negate invalid chars

Regarding joyent/node#8520

This changes hostname validation from a whitelist regex approach
to a blacklist regex approach as described in https://url.spec.whatwg.org/#host-parsing.

url.parse misinterpreted `https://good.com+.evil.org/`
as `https://good.com/+.evil.org/`.  If we use url.parse to check the
validity of the hostname, the test passes, but in the browser the
user is redirected to the evil.org website.
---
 lib/url.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'lib/url.js')

diff --git a/lib/url.js b/lib/url.js
index 56b1be9328..2231ea0ca7 100644
--- a/lib/url.js
+++ b/lib/url.js
@@ -72,8 +72,9 @@ var protocolPattern = /^([a-z0-9.+-]+:)/i,
     nonHostChars = ['%', '/', '?', ';', '#'].concat(autoEscape),
     hostEndingChars = ['/', '?', '#'],
     hostnameMaxLen = 255,
-    hostnamePartPattern = /^[a-z0-9A-Z_-]{0,63}$/,
-    hostnamePartStart = /^([a-z0-9A-Z_-]{0,63})(.*)$/,
+    hostnamePatternString = '[^' + nonHostChars.join('') + ']{0,63}',
+    hostnamePartPattern = new RegExp('^' + hostnamePatternString + '$'),
+    hostnamePartStart = new RegExp('^(' + hostnamePatternString + ')(.*)$'),
     // protocols that can allow "unsafe" and "unwise" chars.
     unsafeProtocol = {
       'javascript': true,
-- 
cgit v1.2.3