Overview

File CVE-2018-12123.patch of Package nodejs4

Date: Tue Jan  8 13:20:49 CET 2019

Ported patch:

From 9c268d049219462de0792284c504f137751cf198 Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Mon, 10 Sep 2018 12:57:07 +0200
Subject: [PATCH] url: avoid hostname spoofing w/ javascript protocol

CVE-2018-12123

Fixes: https://github.com/nodejs-private/security/issues/205
PR-URL: https://github.com/nodejs-private/node-private/pull/145
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>


Index: node-v4.9.1/lib/url.js
===================================================================
--- node-v4.9.1.orig/lib/url.js
+++ node-v4.9.1/lib/url.js
@@ -143,13 +143,13 @@ Url.prototype.parse = function(url, pars
   // how the browser resolves relative URLs.
   if (slashesDenoteHost || proto || rest.match(/^\/\/[^@\/]+@[^@\/]+/)) {
     var slashes = rest.substr(0, 2) === '//';
-    if (slashes && !(proto && hostlessProtocol[proto])) {
+    if (slashes && !(proto && hostlessProtocol[lowerProto])) {
       rest = rest.substr(2);
       this.slashes = true;
     }
   }
 
-  if (!hostlessProtocol[proto] &&
+  if (!hostlessProtocol[lowerProto] &&
       (slashes || (proto && !slashedProtocol[proto]))) {
 
     // there's a hostname.
Index: node-v4.9.1/test/parallel/test-url.js
===================================================================
--- node-v4.9.1.orig/test/parallel/test-url.js
+++ node-v4.9.1/test/parallel/test-url.js
@@ -862,8 +862,40 @@ var parseTests = {
     pathname: '/:npm/npm',
     path: '/:npm/npm',
     href: 'git+ssh://git@github.com/:npm/npm'
-  }
+  },
+
+  // The following two URLs are the same, but they differ for
+  // a capital A: it is important that we verify that the protocol
+  // is checked in a case-insensitive manner.
+  'javascript:alert(1);a=\x27@white-listed.com\x27': {
+    protocol: 'javascript:',
+    slashes: null,
+    auth: null,
+    host: null,
+    port: null,
+    hostname: null,
+    hash: null,
+    search: null,
+    query: null,
+    pathname: "alert(1);a='@white-listed.com'",
+    path: "alert(1);a='@white-listed.com'",
+    href: "javascript:alert(1);a='@white-listed.com'"
+  },
 
+  'javAscript:alert(1);a=\x27@white-listed.com\x27': {
+    protocol: 'javascript:',
+    slashes: null,
+    auth: null,
+    host: null,
+    port: null,
+    hostname: null,
+    hash: null,
+    search: null,
+    query: null,
+    pathname: "alert(1);a='@white-listed.com'",
+    path: "alert(1);a='@white-listed.com'",
+    href: "javascript:alert(1);a='@white-listed.com'"
+  }
 };
 
 for (const u in parseTests) {
openSUSE Build Service is sponsored by
Places