Skip to content

Commit

Permalink
deps: encodeurl@~2.0.0
Browse files Browse the repository at this point in the history
  • Loading branch information
blakeembrey committed Apr 24, 2024
1 parent 6da57c7 commit d6e6204
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 24 deletions.
6 changes: 6 additions & 0 deletions History.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
unreleased
==========

* deps: encodeurl@~2.0.0
- Removes encoding of `\`, `|`, and `^` to align better with URL spec

4.19.2 / 2024-03-25
==========

Expand Down
10 changes: 1 addition & 9 deletions lib/response.js
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,6 @@ module.exports = res
*/

var charsetRegExp = /;\s*charset\s*=/;
var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/;

/**
* Set status `code`.
Expand Down Expand Up @@ -914,14 +913,7 @@ res.location = function location(url) {
loc = String(url);
}

var m = schemaAndHostRegExp.exec(loc);
var pos = m ? m[0].length + 1 : 0;

// Only encode after host to avoid invalid encoding which can introduce
// vulnerabilities (e.g. `\\` to `%5C`).
loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos));

return this.set('Location', loc);
return this.set('Location', encodeUrl(loc));
};

/**
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
"cookie-signature": "1.0.6",
"debug": "2.6.9",
"depd": "2.0.0",
"encodeurl": "~1.0.2",
"encodeurl": "~2.0.0",
"escape-html": "~1.0.3",
"etag": "~1.8.1",
"finalhandler": "1.2.0",
Expand Down
17 changes: 3 additions & 14 deletions test/res.location.js
Original file line number Diff line number Diff line change
Expand Up @@ -293,23 +293,12 @@ describe('res', function(){
);
});

it('should percent encode backslashes in the path', function (done) {
it('should keep backslashes in the path', function (done) {
var app = createRedirectServerForDomain('google.com');
testRequestedRedirect(
app,
'https://google.com/foo\\bar\\baz',
'https://google.com/foo%5Cbar%5Cbaz',
'google.com',
done
);
});

it('should encode backslashes in the path after the first backslash that triggered path parsing', function (done) {
var app = createRedirectServerForDomain('google.com');
testRequestedRedirect(
app,
'https://google.com\\@app\\l\\e.com',
'https://google.com\\@app%5Cl%5Ce.com',
'https://google.com/foo\\bar\\baz',
'google.com',
done
);
Expand Down Expand Up @@ -364,7 +353,7 @@ describe('res', function(){
testRequestedRedirect(
app,
'file:///etc\\passwd',
'file:///etc%5Cpasswd',
'file:///etc\\passwd',
'',
done
);
Expand Down

0 comments on commit d6e6204

Please sign in to comment.