diff options
| author | Timothy Gu <timothygu99@gmail.com> | 2021-05-11 10:59:30 +0300 |
|---|---|---|
| committer | Timothy Gu <timothygu99@gmail.com> | 2021-05-14 09:04:23 +0300 |
| commit | 70157b9cb7d703ee9c44ff56522c65829a599d67 (patch) | |
| tree | 199384c093fb57dcfd54862e2c76cdad947a7e3e /doc/api/errors.md | |
| parent | 41fab0d6cba15c8e149d2a4b2d1adde98d5ac3ad (diff) | |
url: forbid certain confusable changes from being introduced by toASCII
The legacy url.parse() function attempts to convert Unicode domains
(IDNs) into their ASCII/Punycode form through the use of the toASCII
function. However, toASCII can introduce or remove various characters
that at best invalidate the parsed URL, and at worst cause hostname
spoofing:
url.parse('http://bad.c℀.good.com/').href === 'http://bad.ca/c.good.com/'
(from [1])
url.parse('http://\u00AD/bad.com').href === 'http:///bad.com/'
While changes to the legacy URL parser are discouraged in general, the
security implications here outweigh the desire for strict compatibility.
This is since this commit only changes behavior when non-ASCII
characters appear in the hostname, an unusual situation for most use
cases. Additionally, despite the availability of the WHATWG URL API,
url.parse remain widely deployed in the Node.js ecosystem, as
exemplified by the recent un-deprecation of the legacy API.
This change is similar in spirit to CPython 3.8's change [2] fixing
bpo-36216 [3] aka CVE-2019-9636, which also occurred despite potential
compatibility concerns.
[1]: https://hackerone.com/reports/678487
[2]: https://github.com/python/cpython/commit/16e6f7dee7f02bb81aa6b385b982dcdda5b99286
[3]: https://bugs.python.org/issue36216
PR-URL: https://github.com/nodejs/node/pull/38631
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Diffstat (limited to 'doc/api/errors.md')
| -rw-r--r-- | doc/api/errors.md | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/doc/api/errors.md b/doc/api/errors.md index 3ff3c5c1797..f199689f2dc 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -1677,10 +1677,10 @@ An invalid URI was passed. <a id="ERR_INVALID_URL"></a> ### `ERR_INVALID_URL` -An invalid URL was passed to the [WHATWG][WHATWG URL API] -[`URL` constructor][`new URL(input)`] to be parsed. The thrown error object -typically has an additional property `'input'` that contains the URL that failed -to parse. +An invalid URL was passed to the [WHATWG][WHATWG URL API] [`URL` +constructor][`new URL(input)`] or the legacy [`url.parse()`][] to be parsed. +The thrown error object typically has an additional property `'input'` that +contains the URL that failed to parse. <a id="ERR_INVALID_URL_SCHEME"></a> ### `ERR_INVALID_URL_SCHEME` @@ -2824,6 +2824,7 @@ The native call from `process.cpuUsage` could not be processed. [`stream.write()`]: stream.md#stream_writable_write_chunk_encoding_callback [`subprocess.kill()`]: child_process.md#child_process_subprocess_kill_signal [`subprocess.send()`]: child_process.md#child_process_subprocess_send_message_sendhandle_options_callback +[`url.parse()`]: url.md#url_url_parse_urlstring_parsequerystring_slashesdenotehost [`util.getSystemErrorName(error.errno)`]: util.md#util_util_getsystemerrorname_err [`zlib`]: zlib.md [crypto digest algorithm]: crypto.md#crypto_crypto_gethashes |