deps: encodeurl@~2.0.0 (#5569)

2025-12-06 12:19:51 +01:00 · 2024-05-04 13:53:09 -07:00 · 2024-05-04 13:53:09 -07:00 · bf91946bd4
commit bf91946bd4
parent d97d79ed9a
4 changed files with 11 additions and 24 deletions
--- a/History.md
+++ b/History.md
@ -1,3 +1,9 @@
+unreleased
+==========
+
+  * deps: encodeurl@~2.0.0
+    - Removes encoding of `\`, `|`, and `^` to align better with URL spec
+
 4.19.2 / 2024-03-25
 ==========

--- a/lib/response.js
+++ b/lib/response.js
@ -55,7 +55,6 @@ module.exports = res
 */

 var charsetRegExp = /;\s*charset\s*=/;
-var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/;

 /**
 * Set status `code`.
@ -914,14 +913,7 @@ res.location = function location(url) {
    loc = String(url);
  }

-  var m = schemaAndHostRegExp.exec(loc);
-  var pos = m ? m[0].length + 1 : 0;
-
-  // Only encode after host to avoid invalid encoding which can introduce
-  // vulnerabilities (e.g. `\\` to `%5C`).
-  loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos));
-
-  return this.set('Location', loc);
+  return this.set('Location', encodeUrl(loc));
 };

 /**
--- a/package.json
+++ b/package.json
@ -37,7 +37,7 @@
    "cookie-signature": "1.0.6",
    "debug": "2.6.9",
    "depd": "2.0.0",
-    "encodeurl": "~1.0.2",
+    "encodeurl": "~2.0.0",
    "escape-html": "~1.0.3",
    "etag": "~1.8.1",
    "finalhandler": "1.2.0",
--- a/test/res.location.js
+++ b/test/res.location.js
@ -293,23 +293,12 @@ describe('res', function(){
      );
    });

-    it('should percent encode backslashes in the path', function (done) {
+    it('should keep backslashes in the path', function (done) {
      var app = createRedirectServerForDomain('google.com');
      testRequestedRedirect(
        app,
        'https://google.com/foo\\bar\\baz',
-        'https://google.com/foo%5Cbar%5Cbaz',
-        'google.com',
-        done
-      );
-    });
-
-    it('should encode backslashes in the path after the first backslash that triggered path parsing', function (done) {
-      var app = createRedirectServerForDomain('google.com');
-      testRequestedRedirect(
-        app,
-        'https://google.com\\@app\\l\\e.com',
-        'https://google.com\\@app%5Cl%5Ce.com',
+        'https://google.com/foo\\bar\\baz',
        'google.com',
        done
      );
@ -364,7 +353,7 @@ describe('res', function(){
      testRequestedRedirect(
        app,
        'file:///etc\\passwd',
-        'file:///etc%5Cpasswd',
+        'file:///etc\\passwd',
        '',
        done
      );