File: CVE-2022-0691.patch

package info (click to toggle)
node-url-parse 1.5.3-1%2Bdeb11u2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 376 kB
  • sloc: javascript: 1,399; makefile: 9
file content (39 lines) | stat: -rw-r--r-- 1,527 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Description: Strip all control characters from the beginning of the URL
Author: Luigi Pinca <luigipinca@gmail.com>
Origin: upstream, https://github.com/unshiftio/url-parse/commit/0e3fb542
Bug: https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4
Forwarded: not-needed
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2022-04-11

--- a/index.js
+++ b/index.js
@@ -6,7 +6,8 @@
   , port = /:\d+$/
   , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\\/]+)?([\S\s]*)/i
   , windowsDriveLetter = /^[a-zA-Z]:/
-  , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
+  //                  \t  \n    \v  \f   \r
+  , whitespace = '[\\x00-\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
   , left = new RegExp('^'+ whitespace +'+');
 
 /**
--- a/test/test.js
+++ b/test/test.js
@@ -47,8 +47,14 @@
       assume(parse.trimLeft).is.a('function');
     });
 
-    it('removes whitespace on the left', function () {
-      assume(parse.trimLeft('  lol')).equals('lol');
+    it('removes control characters on the left', function () {
+      var i = 0;
+      var prefix = ''
+
+      for (; i < 33; i++) {
+        prefix = String.fromCharCode(i);
+        assume(parse.trimLeft(prefix + prefix +'lol')).equals('lol');
+      }
     });
 
     it('calls toString on a given value', function () {