From 9be51ee9a1ea8f9cc578abc1b9e70b220f7488ac Mon Sep 17 00:00:00 2001 From: Yash Ladha Date: Sat, 9 May 2020 21:47:52 +0530 Subject: [PATCH] url: forbid lt and gt in url host code point As per the recent changes in whatwg/url spec. lt and gt are also added in the list of forbidden hostCodePoint list. PR-URL: https://github.com/nodejs/node/pull/33328 Refs: https://github.com/whatwg/url/pull/459 Refs: https://github.com/nodejs/node/issues/33315 Reviewed-By: Anna Henningsen Reviewed-By: Yongsheng Zhang Reviewed-By: Ruben Bridgewater --- src/node_url.cc | 3 +- .../wpt/url/resources/urltestdata.json | 77 +++++++++++++++---- 2 files changed, 64 insertions(+), 16 deletions(-) diff --git a/src/node_url.cc b/src/node_url.cc index 27e89e8d9b7652..8751588d8bf309 100644 --- a/src/node_url.cc +++ b/src/node_url.cc @@ -206,7 +206,8 @@ CHAR_TEST(8, IsForbiddenHostCodePoint, ch == '\0' || ch == '\t' || ch == '\n' || ch == '\r' || ch == ' ' || ch == '#' || ch == '%' || ch == '/' || ch == ':' || ch == '?' || ch == '@' || ch == '[' || - ch == '\\' || ch == ']') + ch == '<' || ch == '>' || ch == '\\' || ch == ']' || + ch == '^') // https://url.spec.whatwg.org/#windows-drive-letter TWO_CHAR_STRING_TEST(8, IsWindowsDriveLetter, diff --git a/test/fixtures/wpt/url/resources/urltestdata.json b/test/fixtures/wpt/url/resources/urltestdata.json index bf4e2a7833d17f..58501e215318df 100644 --- a/test/fixtures/wpt/url/resources/urltestdata.json +++ b/test/fixtures/wpt/url/resources/urltestdata.json @@ -4481,21 +4481,6 @@ "search": "", "hash": "" }, - { - "input": "sc://\u001F!\"$&'()*+,-.;<=>^_`{|}~/", - "base": "about:blank", - "href": "sc://%1F!\"$&'()*+,-.;<=>^_`{|}~/", - "origin": "null", - "protocol": "sc:", - "username": "", - "password": "", - "host": "%1F!\"$&'()*+,-.;<=>^_`{|}~", - "hostname": "%1F!\"$&'()*+,-.;<=>^_`{|}~", - "port": "", - "pathname": "/", - "search": "", - "hash": "" - }, { "input": "sc://\u0000/", "base": "about:blank", @@ -4649,6 +4634,68 @@ "search": "", "hash": "" }, + "Forbidden host code points", + { + "input": "http://ab", + "base": "about:blank", + "failure": true + }, + { + "input": "http://a^b", + "base": "about:blank", + "failure": true + }, + { + "input": "non-special://ab", + "base": "about:blank", + "failure": true + }, + { + "input": "non-special://a^b", + "base": "about:blank", + "failure": true + }, + "Allowed host code points", + { + "input": "http://\u001F!\"$&'()*+,-.;=_`{|}~/", + "base": "about:blank", + "href": "http://\u001F!\"$&'()*+,-.;=_`{|}~/", + "origin": "http://\u001F!\"$&'()*+,-.;=_`{|}~", + "protocol": "http:", + "username": "", + "password": "", + "host": "\u001F!\"$&'()*+,-.;=_`{|}~", + "hostname": "\u001F!\"$&'()*+,-.;=_`{|}~", + "port": "", + "pathname": "/", + "search": "", + "hash": "" + }, + { + "input": "sc://\u001F!\"$&'()*+,-.;=_`{|}~/", + "base": "about:blank", + "href": "sc://%1F!\"$&'()*+,-.;=_`{|}~/", + "origin": "null", + "protocol": "sc:", + "username": "", + "password": "", + "host": "%1F!\"$&'()*+,-.;=_`{|}~", + "hostname": "%1F!\"$&'()*+,-.;=_`{|}~", + "port": "", + "pathname": "/", + "search": "", + "hash": "" + }, "# Hosts and percent-encoding", { "input": "ftp://example.com%80/",