Skip to content

Commit b02bf03

Browse files
alesandroortizalesandroortiz
authored
fix(parse): treat backslash as forwardslash in authority (#403)
make `https://attacker.com\\@example.com` like `https://attacker.com\\@example.com/` result in `https://attacker.com/@example.com`
1 parent d7064ab commit b02bf03

File tree

2 files changed

+55
-3
lines changed

2 files changed

+55
-3
lines changed

src/URI.js

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -612,19 +612,22 @@
612612
};
613613
URI.parseUserinfo = function(string, parts) {
614614
// extract username:password
615+
var _string = string
615616
var firstBackSlash = string.indexOf('\\');
617+
if (firstBackSlash !== -1) {
618+
string = string.replace(/\\/g, '/')
619+
}
616620
var firstSlash = string.indexOf('/');
617-
var slash = firstBackSlash === -1 ? firstSlash : (firstSlash !== -1 ? Math.min(firstBackSlash, firstSlash): firstSlash)
618621
var pos = string.lastIndexOf('@', firstSlash > -1 ? firstSlash : string.length - 1);
619622
var t;
620623

621624
// authority@ must come before /path or \path
622-
if (pos > -1 && (slash === -1 || pos < slash)) {
625+
if (pos > -1 && (firstSlash === -1 || pos < firstSlash)) {
623626
t = string.substring(0, pos).split(':');
624627
parts.username = t[0] ? URI.decode(t[0]) : null;
625628
t.shift();
626629
parts.password = t[0] ? URI.decode(t.join(':')) : null;
627-
string = string.substring(pos + 1);
630+
string = _string.substring(pos + 1);
628631
} else {
629632
parts.username = null;
630633
parts.password = null;

test/urls.js

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2033,6 +2033,55 @@ var urls = [{
20332033
idn: false,
20342034
punycode: false
20352035
}
2036+
}, {
2037+
name: 'backslashes authority, no ending slash',
2038+
url: 'https://attacker.com\\@example.com',
2039+
_url: 'https://attacker.com/@example.com',
2040+
parts: {
2041+
protocol: 'https',
2042+
username: null,
2043+
password: null,
2044+
hostname: 'attacker.com',
2045+
port: null,
2046+
path: '/@example.com',
2047+
query: null,
2048+
fragment: null
2049+
},
2050+
accessors: {
2051+
protocol: 'https',
2052+
username: '',
2053+
password: '',
2054+
port: '',
2055+
path: '/@example.com',
2056+
query: '',
2057+
fragment: '',
2058+
resource: '/@example.com',
2059+
authority: 'attacker.com',
2060+
origin: 'https://attacker.com',
2061+
userinfo: '',
2062+
subdomain: '',
2063+
domain: 'attacker.com',
2064+
tld: 'com',
2065+
directory: '/',
2066+
filename: '@example.com',
2067+
suffix: 'com',
2068+
hash: '',
2069+
search: '',
2070+
host: 'attacker.com',
2071+
hostname: 'attacker.com'
2072+
},
2073+
is: {
2074+
urn: false,
2075+
url: true,
2076+
relative: false,
2077+
name: true,
2078+
sld: false,
2079+
ip: false,
2080+
ip4: false,
2081+
ip6: false,
2082+
idn: false,
2083+
punycode: false
2084+
}
20362085
}
20372086
];
20382087

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy