Skip to content
This repository was archived by the owner on Apr 22, 2023. It is now read-only.
This repository was archived by the owner on Apr 22, 2023. It is now read-only.

url.parse misinterprets hostname #8520

Closed
Closed
url.parse misinterprets hostname#8520
Labels
S-confirmed-bugurl
@pierre-elie

Description

@pierre-elie
pierre-elie
opened on Oct 6, 2014

Node v0.10.32

url.parse('https://good.com+.evil.org/?accessToken=xxx');

returns

{ 
  protocol: 'https:',
  slashes: true,
  auth: null,
  host: 'good.com',
  port: null,
  hostname: 'good.com',
  hash: null,
  search: '?accessToken=xxx',
  query: 'accessToken=xxx',
  pathname: '/+.evil.org/',
  path: '/+.evil.org/?accessToken=xxx',
  href: 'https://good.com/+.evil.org/?accessToken=xxx'
}

url.parse misinterpreted https://good.com+.evil.org/ as https://good.com/+.evil.org/
If we use url.parse to check the validity of the hostname, the test passes, but in the browser the user is redirected to the evil.org website.

Other characters than + might do the trick too.

Metadata

Metadata

Assignees

No one assigned

    Labels

    S-confirmed-bugurl

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions