Skip to content

Commit

Permalink
doc: deprecate use of invalid ports in url.parse
Browse files Browse the repository at this point in the history
PR-URL: #45576
Refs: #45526
Co-authored-by: Rich Trott <rtrott@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
  • Loading branch information
2 people authored and danielleadams committed Jan 3, 2023
1 parent 6a36159 commit b771fdb
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions doc/api/deprecations.md
Original file line number Diff line number Diff line change
Expand Up @@ -3283,6 +3283,22 @@ Type: Documentation-only
have security implications. Use the [WHATWG URL API][] instead. CVEs are not
issued for `url.parse()` vulnerabilities.

### DEP0170: Invalid port when using `url.parse()`

<!-- YAML
changes:
- version:
- REPLACEME
pr-url: https://github.com/nodejs/node/pull/45576
description: Documentation-only deprecation.
-->

Type: Documentation-only

[`url.parse()`][] accepts URLs with ports that are not numbers. This behavior
might result in host name spoofing with unexpected input. These URLs will throw
an error in future versions of Node.js, as the [WHATWG URL API][] does already.

[NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
[RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3
[RFC 8247 Section 2.4]: https://www.rfc-editor.org/rfc/rfc8247#section-2.4
Expand Down

0 comments on commit b771fdb

Please sign in to comment.