Skip to content

deps: encodeurl@~2.0.0 #5569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 4, 2024
Merged

deps: encodeurl@~2.0.0 #5569

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
deps: encodeurl@~2.0.0
  • Loading branch information
@blakeembrey
blakeembrey committed Apr 24, 2024
commit d6e6204552622efc5e0af5a99c39cfac7cf7c0cc
6 changes: 6 additions & 0 deletions History.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
unreleased
==========

* deps: encodeurl@~2.0.0
- Removes encoding of `\`, `|`, and `^` to align better with URL spec

4.19.2 / 2024-03-25
==========

Expand Down
10 changes: 1 addition & 9 deletions lib/response.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,6 @@ module.exports = res
*/

var charsetRegExp = /;\s*charset\s*=/;
var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/;

/**
* Set status `code`.
Expand Down Expand Up @@ -914,14 +913,7 @@ res.location = function location(url) {
loc = String(url);
}

var m = schemaAndHostRegExp.exec(loc);
var pos = m ? m[0].length + 1 : 0;

// Only encode after host to avoid invalid encoding which can introduce
// vulnerabilities (e.g. `\\` to `%5C`).
loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos));

return this.set('Location', loc);
return this.set('Location', encodeUrl(loc));
};

/**
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
"cookie-signature": "1.0.6",
"debug": "2.6.9",
"depd": "2.0.0",
"encodeurl": "~1.0.2",
"encodeurl": "~2.0.0",
"escape-html": "~1.0.3",
"etag": "~1.8.1",
"finalhandler": "1.2.0",
Expand Down
17 changes: 3 additions & 14 deletions test/res.location.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,23 +293,12 @@ describe('res', function(){
);
});

it('should percent encode backslashes in the path', function (done) {
it('should keep backslashes in the path', function (done) {
var app = createRedirectServerForDomain('google.com');
testRequestedRedirect(
app,
'https://google.com/foo\\bar\\baz',
'https://google.com/foo%5Cbar%5Cbaz',
'google.com',
done
);
});

it('should encode backslashes in the path after the first backslash that triggered path parsing', function (done) {
var app = createRedirectServerForDomain('google.com');
testRequestedRedirect(
app,
'https://google.com\\@app\\l\\e.com',
'https://google.com\\@app%5Cl%5Ce.com',
'https://google.com/foo\\bar\\baz',
'google.com',
done
);
Expand Down Expand Up @@ -364,7 +353,7 @@ describe('res', function(){
testRequestedRedirect(
app,
'file:///etc\\passwd',
'file:///etc%5Cpasswd',
'file:///etc\\passwd',
'',
done
);
Expand Down
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy