url.parse security with special characters #711
Comments
Closed by d664bf3 URL parse more safely This does 3 things:
|
This does 3 things: 1. Delimiters and "unwise" characters are never included in the hostname or path. 2. url.format will sanitize string URLs that are passed to it. 3. The parsed url's 'href' member will be the sanitized url, which may not match the argument to url.parse.
This fix caused valid URI to fail. See: issue 954. |
AFAICT this patch implicitly adds Thoughts on moving the implicit addition of the |
I think for node's purposes, this makes sense. If you put |
I just noticed that url.parse does not really verify the validity of host/hostname:
This can lead to potential security issues, if the developer just assumes that parse will correctly detect invalid hostnames and arguably this should be handled correctly by node. Here are excerpts of the relevant RFCs (at least ", ', <, >, and ` should be considered dangerous):
RFC 1738 Uniform Resource Locators (URL):
RFC 2396 Uniform Resource Identifiers (URI): Generic Syntax:
The text was updated successfully, but these errors were encountered: