Skip to content

Commit

Permalink
url: trim leading and trailing C0 control chars
Browse files Browse the repository at this point in the history
Emulate the WHATWHG URL parse behavior of trimming leading and trailing
C0 control characters. This moves url.parse() slightly closer to
WHATWHG URL behavior. The current behavior is possibly insecure for some
uses. (The url.parse() API is marked as Legacy and the documentation
specifically says it has known bugs and insecure behaviors. Still this
change makes a lot of sense.)

This issue was reported by P0cas. https://github.com/P0cas

PR-URL: #42196
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Darshan Sen <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Mestery <[email protected]>
Reviewed-By: Anto Aravinth <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
  • Loading branch information
Trott authored and bengl committed Mar 20, 2022
1 parent f27bcec commit b89f4d5
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 6 deletions.
7 changes: 1 addition & 6 deletions lib/url.js
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,6 @@ const {
CHAR_TAB,
CHAR_CARRIAGE_RETURN,
CHAR_LINE_FEED,
CHAR_FORM_FEED,
CHAR_NO_BREAK_SPACE,
CHAR_ZERO_WIDTH_NOBREAK_SPACE,
CHAR_HASH,
Expand Down Expand Up @@ -196,11 +195,7 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
const code = url.charCodeAt(i);

// Find first and last non-whitespace characters for trimming
const isWs = code === CHAR_SPACE ||
code === CHAR_TAB ||
code === CHAR_CARRIAGE_RETURN ||
code === CHAR_LINE_FEED ||
code === CHAR_FORM_FEED ||
const isWs = code < 33 ||
code === CHAR_NO_BREAK_SPACE ||
code === CHAR_ZERO_WIDTH_NOBREAK_SPACE;
if (start === -1) {
Expand Down
15 changes: 15 additions & 0 deletions test/parallel/test-url-parse-format.js
Original file line number Diff line number Diff line change
Expand Up @@ -977,6 +977,21 @@ const parseTests = {
path: '/everybody',
href: '//[email protected]/everybody#to-the-limit'
},

'\bhttp://example.com/\b': {
protocol: 'http:',
slashes: true,
auth: null,
host: 'example.com',
port: null,
hostname: 'example.com',
hash: null,
search: null,
query: null,
pathname: '/',
path: '/',
href: 'http://example.com/'
}
};

for (const u in parseTests) {
Expand Down

0 comments on commit b89f4d5

Please sign in to comment.