File CVE-2018-12123.patch of Package nodejs4
Date: Tue Jan 8 13:20:49 CET 2019
Ported patch:
From 9c268d049219462de0792284c504f137751cf198 Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Mon, 10 Sep 2018 12:57:07 +0200
Subject: [PATCH] url: avoid hostname spoofing w/ javascript protocol
CVE-2018-12123
Fixes: https://github.com/nodejs-private/security/issues/205
PR-URL: https://github.com/nodejs-private/node-private/pull/145
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Index: node-v4.9.1/lib/url.js
===================================================================
--- node-v4.9.1.orig/lib/url.js
+++ node-v4.9.1/lib/url.js
@@ -143,13 +143,13 @@ Url.prototype.parse = function(url, pars
// how the browser resolves relative URLs.
if (slashesDenoteHost || proto || rest.match(/^\/\/[^@\/]+@[^@\/]+/)) {
var slashes = rest.substr(0, 2) === '//';
- if (slashes && !(proto && hostlessProtocol[proto])) {
+ if (slashes && !(proto && hostlessProtocol[lowerProto])) {
rest = rest.substr(2);
this.slashes = true;
}
}
- if (!hostlessProtocol[proto] &&
+ if (!hostlessProtocol[lowerProto] &&
(slashes || (proto && !slashedProtocol[proto]))) {
// there's a hostname.
Index: node-v4.9.1/test/parallel/test-url.js
===================================================================
--- node-v4.9.1.orig/test/parallel/test-url.js
+++ node-v4.9.1/test/parallel/test-url.js
@@ -862,8 +862,40 @@ var parseTests = {
pathname: '/:npm/npm',
path: '/:npm/npm',
href: 'git+ssh://git@github.com/:npm/npm'
- }
+ },
+
+ // The following two URLs are the same, but they differ for
+ // a capital A: it is important that we verify that the protocol
+ // is checked in a case-insensitive manner.
+ 'javascript:alert(1);a=\x27@white-listed.com\x27': {
+ protocol: 'javascript:',
+ slashes: null,
+ auth: null,
+ host: null,
+ port: null,
+ hostname: null,
+ hash: null,
+ search: null,
+ query: null,
+ pathname: "alert(1);a='@white-listed.com'",
+ path: "alert(1);a='@white-listed.com'",
+ href: "javascript:alert(1);a='@white-listed.com'"
+ },
+ 'javAscript:alert(1);a=\x27@white-listed.com\x27': {
+ protocol: 'javascript:',
+ slashes: null,
+ auth: null,
+ host: null,
+ port: null,
+ hostname: null,
+ hash: null,
+ search: null,
+ query: null,
+ pathname: "alert(1);a='@white-listed.com'",
+ path: "alert(1);a='@white-listed.com'",
+ href: "javascript:alert(1);a='@white-listed.com'"
+ }
};
for (const u in parseTests) {