mirror of
https://github.com/zebrajr/node.git
synced 2025-12-06 12:20:27 +01:00
513e9747a2
CVE-2018-12116
Backport of b961d9fd to 8.x
Original commit:
This commit changes node's handling of two-byte characters in
the path component of an http URL. Previously, node would just
strip the higher byte when generating the request. So this code:
```
http.request({host: "example.com", port: "80", "/N"})
```
would request `http://example.com/.`
(`.` is the character for the byte `0x2e`).
This is not useful and can in some cases lead to filter evasion.
With this change, the code generates `ERR_UNESCAPED_CHARACTERS`,
just like space and control characters already did.
PR-URL: https://github.com/nodejs/node/pull/16237
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/146
Fixes: https://github.com/nodejs-private/security/issues/207
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
13 lines
237 B
JavaScript
13 lines
237 B
JavaScript
'use strict';
|
|
|
|
require('../common');
|
|
|
|
const http = require('http');
|
|
const assert = require('assert');
|
|
|
|
assert.throws(() => {
|
|
http.request({
|
|
path: '/thisisinvalid\uffe2'
|
|
}).end();
|
|
}, /Request path contains unescaped characters/);
|