[dist] 1.5.2

unshiftio · Jul 25, 2021 · 201034b · 201034b
1 parent 2d9ac2c
commit 201034b
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/SECURITY.md b/SECURITY.md
@@ -33,6 +33,19 @@ acknowledge your responsible disclosure, if you wish.
 
 ## History
 
+> url-parse mishandles certain use a single of (back) slash such as https:\ &
+> https:/ and > interprets the URI as a relative path. Browsers accept a single
+> backslash after the protocol, and treat it as a normal slash, while url-parse
+> sees it as a relative path.
+
+- **Reporter credits**
+  - Ready-Research
+  - GitHub: [@Ready-Reserach](https://github.com/ready-research)
+- Huntr report: https://www.huntr.dev/bounties/1625557993985-unshiftio/url-parse/
+- Fixed in: 1.5.2
+
+---
+
 > Using backslash in the protocol is valid in the browser, while url-parse
 > thinks it’s a relative path. An application that validates a url using
 > url-parse might pass a malicious link.
@@ -42,6 +55,8 @@ acknowledge your responsible disclosure, if you wish.
   - Twitter: [Yaniv Nizry](https://twitter.com/ynizry)
 - Fixed in: 1.5.0
 
+---
+
 > The `extractProtocol` method does not return the correct protocol when
 > provided with unsanitized content which could lead to false positives.
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "url-parse",
-  "version": "1.5.1",
+  "version": "1.5.2",
   "description": "Small footprint URL parser that works seamlessly across Node.js and browser environments",
   "main": "index.js",
   "scripts": {