Some URLs can crash the proxy server #415

ruquay opened this Issue May 2, 2013 · 1 comment


None yet

2 participants

ruquay commented May 2, 2013

It's possible to crash the proxy server using certain URLs in the HTTP request. If the URL causes require("url").parse to return a result with null pathname, such as the one below, the proxy server will crash due to a null reference.

// instantiate HTTP server to actually serve requests
var http = require("http");
http.createServer(function(req, res){
    res.writeHead(200, {"Content-type": "text/plain"});
    res.end("Request proxied\n" + JSON.stringify(req.headers, true, 2));
// proxy server in front of above server
var httpProxy = require("http-proxy");
httpProxy.createServer({ router: { ".*": "" } }).listen(8080);

// make some requests
var urls = [
    // directly on first server
    // via the proxy server
    "http://localhost:8080//bad-url?e=a@b" // crashes the proxy server
var next = function() {
    var url = urls.shift();
    console.log("GET %s", url);
    http.get(url, function(){
        console.log("OK: %s", url);
        if ( urls.length ) { next(); }
jcrugzz commented Jan 20, 2016

This is based on an older version of http-proxy please use the latest version and open a new issue if you have a problem. Thanks!

@jcrugzz jcrugzz closed this Jan 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment