File: CVE-2018-3774.patch

package info (click to toggle)
node-url-parse 1.0.5-2%2Bdeb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 384 kB
  • sloc: javascript: 4,250; makefile: 4; sh: 2
file content (79 lines) | stat: -rw-r--r-- 2,510 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
Description: Fix for CVE-2018-3774
Author: Arnout Kazemier <https://github.com/3rd-Eden/>
Origin: upstream, https://github.com/unshiftio/url-parse/commit/53b1794e
Bug: https://security-tracker.debian.org/tracker/CVE-2018-3774
Bug-Debian: https://bugs.debian.org/906058
Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2019-06-11

--- a/index.js
+++ b/index.js
@@ -20,6 +20,9 @@
 var instructions = [
   ['#', 'hash'],                        // Extract from the back.
   ['?', 'query'],                       // Extract from the back.
+  function sanitize(address) {          // Sanitize what is left of the address
+    return address.replace('\\', '/');
+  },
   ['//', 'protocol', 2, 1, 1],          // Extract from the front.
   ['/', 'pathname'],                    // Extract from the back.
   ['@', 'auth', 1],                     // Extract from the front.
@@ -74,6 +77,10 @@
 
   for (; i < instructions.length; i++) {
     instruction = instructions[i];
+    if (typeof instruction === 'function') {
+      address = instruction(address);
+      continue;
+    }
     parse = instruction[0];
     key = instruction[1];
 
--- a/test.js
+++ b/test.js
@@ -152,6 +152,28 @@
     assume(parsed.pathname).equals('/b/c');
   });
 
+  it('ignores \\ in pathnames', function () {
+    var url = 'http://google.com:80\\@yahoo.com/#what\\is going on'
+      , parsed = parse(url);
+
+    assume(parsed.port).equals('');
+    assume(parsed.username).equals('');
+    assume(parsed.password).equals('');
+    assume(parsed.hostname).equals('google.com');
+    assume(parsed.hash).equals('#what\\is going on');
+
+    parsed = parse('//\\what-is-up.com');
+    assume(parsed.pathname).equals('/what-is-up.com');
+  });
+
+  it('correctly ignores multiple slashes //', function () {
+    var url = '////what-is-up.com'
+      , parsed = parse(url);
+
+    assume(parsed.host).equals('');
+    assume(parsed.hostname).equals('');
+  });
+
   describe('ip', function () {
     // coap://
     //
@@ -386,6 +408,15 @@
 
       assume(data.href).equals('https://google.com/?foo=bar');
     });
+
+    it('maintains the port number for non-default port numbers', function () {
+      var parsed = parse('http://google.com:8080/pathname');
+
+      assume(parsed.set('host', 'google.com:8080')).equals(parsed);
+
+      assume(parsed.host).equals('google.com:8080');
+      assume(parsed.href).equals('http://google.com:8080/pathname');
+    });
   });
 
   describe('fuzzy', function () {