url: forbid pipe in URL host

Fixes: https://github.com/nodejs/node/issues/37862 PR-URL: https://github.com/nodejs/node/pull/37877 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
2025-12-06 00:20:08 +01:00 · 2021-03-23 22:23:11 +05:30 · 2021-03-23 22:23:11 +05:30 · 570fbcef93
commit 570fbcef93
parent 5e15ae05d0
5 changed files with 67 additions and 12 deletions
--- a/src/node_url.cc
+++ b/src/node_url.cc
@ -208,7 +208,7 @@ CHAR_TEST(8, IsForbiddenHostCodePoint,
          ch == ' ' || ch == '#' || ch == '%' || ch == '/' ||
          ch == ':' || ch == '?' || ch == '@' || ch == '[' ||
          ch == '<' || ch == '>' || ch == '\\' || ch == ']' ||
-          ch == '^')
+          ch == '^' || ch == '|')

 // https://url.spec.whatwg.org/#windows-drive-letter
 TWO_CHAR_STRING_TEST(8, IsWindowsDriveLetter,
--- a/test/cctest/test_url.cc
+++ b/test/cctest/test_url.cc
@ -44,6 +44,11 @@ TEST_F(URLTest, Simple2) {
  EXPECT_EQ(simple.fragment(), "fragment");
 }

+TEST_F(URLTest, ForbiddenHostCodePoint) {
+  URL error("https://exa|mple.org:81/a/b/c?query#fragment");
+  EXPECT_TRUE(error.flags() & URL_FLAGS_FAILED);
+}
+
 TEST_F(URLTest, NoBase1) {
  URL error("123noscheme");
  EXPECT_TRUE(error.flags() & URL_FLAGS_FAILED);
--- a/test/fixtures/wpt/README.md
+++ b/test/fixtures/wpt/README.md
@ -21,7 +21,7 @@ Last update:
 - html/webappapis/timers: https://github.com/web-platform-tests/wpt/tree/5873f2d8f1/html/webappapis/timers
 - interfaces: https://github.com/web-platform-tests/wpt/tree/79fa4cf76e/interfaces
 - resources: https://github.com/web-platform-tests/wpt/tree/972ca5b669/resources
- url: https://github.com/web-platform-tests/wpt/tree/33f2e3f2e7/url
+- url: https://github.com/web-platform-tests/wpt/tree/5eebfdb1f6/url

 [Web Platform Tests]: https://github.com/web-platform-tests/wpt
 [`git node wpt`]: https://github.com/nodejs/node-core-utils/blob/master/docs/git-node.md#git-node-wpt
--- a/test/fixtures/wpt/url/resources/urltestdata.json
+++ b/test/fixtures/wpt/url/resources/urltestdata.json
@ -4682,30 +4682,30 @@
  },
  "Allowed host code points",
  {
-    "input": "http://\u001F!\"$&'()*+,-.;=_`{|}~/",
+    "input": "http://\u001F!\"$&'()*+,-.;=_`{}~/",
    "base": "about:blank",
-    "href": "http://\u001F!\"$&'()*+,-.;=_`{|}~/",
-    "origin": "http://\u001F!\"$&'()*+,-.;=_`{|}~",
+    "href": "http://\u001F!\"$&'()*+,-.;=_`{}~/",
+    "origin": "http://\u001F!\"$&'()*+,-.;=_`{}~",
    "protocol": "http:",
    "username": "",
    "password": "",
-    "host": "\u001F!\"$&'()*+,-.;=_`{|}~",
-    "hostname": "\u001F!\"$&'()*+,-.;=_`{|}~",
+    "host": "\u001F!\"$&'()*+,-.;=_`{}~",
+    "hostname": "\u001F!\"$&'()*+,-.;=_`{}~",
    "port": "",
    "pathname": "/",
    "search": "",
    "hash": ""
  },
  {
-    "input": "sc://\u001F!\"$&'()*+,-.;=_`{|}~/",
+    "input": "sc://\u001F!\"$&'()*+,-.;=_`{}~/",
    "base": "about:blank",
-    "href": "sc://%1F!\"$&'()*+,-.;=_`{|}~/",
+    "href": "sc://%1F!\"$&'()*+,-.;=_`{}~/",
    "origin": "null",
    "protocol": "sc:",
    "username": "",
    "password": "",
-    "host": "%1F!\"$&'()*+,-.;=_`{|}~",
-    "hostname": "%1F!\"$&'()*+,-.;=_`{|}~",
+    "host": "%1F!\"$&'()*+,-.;=_`{}~",
+    "hostname": "%1F!\"$&'()*+,-.;=_`{}~",
    "port": "",
    "pathname": "/",
    "search": "",
@ -5202,6 +5202,56 @@
    "search": "",
    "hash": ""
  },
+  {
+    "input": "file://%43%3A",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43%7C",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43|",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://C%7C",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43%7C/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "https://%43%7C/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "asdf://%43|/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "asdf://%43%7C/",
+    "base": "about:blank",
+    "href": "asdf://%43%7C/",
+    "origin": "null",
+    "protocol": "asdf:",
+    "username": "",
+    "password": "",
+    "host": "%43%7C",
+    "hostname": "%43%7C",
+    "port": "",
+    "pathname": "/",
+    "search": "",
+    "hash": ""
+  },
  "# file URLs relative to other file URLs (via https://github.com/jsdom/whatwg-url/pull/60)",
  {
    "input": "pix/submit.gif",
--- a/test/fixtures/wpt/versions.json
+++ b/test/fixtures/wpt/versions.json
@ -44,7 +44,7 @@
    "path": "resources"
  },
  "url": {
-    "commit": "33f2e3f2e759bd51ebf8e4b9a01b067bc8281c5c",
+    "commit": "5eebfdb1f68059549b3efff380dd190bc6078266",
    "path": "url"
  }
 }