Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix(parse): handle CR,LF,TAB
reported by @Haxatron via huntr.dev
  • Loading branch information
rodneyrehm committed Apr 3, 2022
1 parent 88805fd commit b0c9796
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Expand Up @@ -5,6 +5,7 @@ The release notes tracked in this document are also made available on the [relea
### master ###

* **SECURITY** fixing [`URI.parse()`](http://medialize.github.io/URI.js/docs.html#static-parse) handle excessive slashes in scheme-relative URLs - disclosed by [zeyu2001](https://github.com/zeyu2001) via https://huntr.dev/
* **SECURITY** fixing [`URI.parse()`](http://medialize.github.io/URI.js/docs.html#static-parse) remove `\r` (CR), `\n`, (LF) `\t` (TAB) - disclosed by [haxatron](https://github.com/haxatron) via https://huntr.dev/

### 1.19.10 (March 5th 2022) ###

Expand Down
4 changes: 4 additions & 0 deletions src/URI.js
Expand Up @@ -240,6 +240,8 @@
parens: /(\([^\)]*\)|\[[^\]]*\]|\{[^}]*\}|<[^>]*>)/g,
};
URI.leading_whitespace_expression = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/
// https://infra.spec.whatwg.org/#ascii-tab-or-newline
URI.ascii_tab_whitespace = /[\u0009\u000A\u000D]+/g
// http://www.iana.org/assignments/uri-schemes.html
// http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
URI.defaultPorts = {
Expand Down Expand Up @@ -497,6 +499,8 @@
}

string = string.replace(URI.leading_whitespace_expression, '')
// https://infra.spec.whatwg.org/#ascii-tab-or-newline
string = string.replace(URI.ascii_tab_whitespace, '')

// [protocol"://"[username[":"password]"@"]hostname[":"port]"/"?][path]["?"querystring]["#"fragment]

Expand Down
49 changes: 49 additions & 0 deletions test/urls.js
Expand Up @@ -2718,6 +2718,55 @@ var urls = [{
idn: false,
punycode: false
}
}, {
name: 'ASCII tab or newline',
url: 'ja\r\nva\tscript:alert(1)',
_url: 'javascript:alert(1)',
parts: {
protocol: 'javascript',
username: null,
password: null,
hostname: null,
port: null,
path: 'alert(1)',
query: null,
fragment: null
},
accessors: {
protocol: 'javascript',
username: '',
password: '',
port: '',
path: 'alert(1)',
query: '',
fragment: '',
resource: 'alert(1)',
authority: '',
origin: '',
userinfo: '',
subdomain: '',
domain: '',
tld: '',
directory: '',
filename: '',
suffix: '',
hash: '',
search: '',
host: '',
hostname: ''
},
is: {
urn: true,
url: false,
relative: false,
name: false,
sld: false,
ip: false,
ip4: false,
ip6: false,
idn: false,
punycode: false
}
}, {
name: 'excessive colon in protocol delimiter',
url: 'http:://www.example.org:8080/hello:world',
Expand Down

0 comments on commit b0c9796

Please sign in to comment.