Handle backslashes like Node.js and Chrome #233
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[RFC 2396][] section 2.4.3 puts backslashes (`\`) in the "unwise" list
of characters that aren't allowed in URIs. However, IE, Opera and Chrome
normalize backslashes to slashes (`/`), as noted in [Chromium][].
Since URI.js doesn't do this, it creates possible vulnerabilities. For
example:
```js
var page = URI(window.location.href);
var redirect = URI(page.search(true).redirect_uri);
if (page.domain() === redirect.domain()) {
window.location = redirect.href();
}
```
This logic will work fine, except when `redirect` has backslashes in the
host, e.g.
```
http://i.xss.com\www.example.org/foo
```
In this case, you'll get:
```js
URI("http://www.example.org").domain();
// example.org
URI("http://i.xss.com\\www.example.org/foo").domain();
// example.org
```
...yet the browsers will redirect you to
```
http://i.xss.com/www.example.org/foo
```
which could be a phishing site.
The supplied change simply replaces all backslashes before the query/hash with slashes. This workaround is also in [Node][Node].
[RFC 2396]: https://www.ietf.org/rfc/rfc2396.txt
[Chromium]: https://code.google.com/p/chromium/issues/detail?id=25916
[Node]: https://github.com/joyent/node/blob/386fd24f49b0e9d1a8a076592a404168faeecc34/lib/url.js#L115-L124
rodneyrehm
added a commit
that referenced
this pull request
Jul 24, 2015
security(parse-url) Handle backslashes like Node.js and Chrome
|
I wonder if escaping |
|
I've made your fix also apply to the mutator functions and released v1.16.0 |
|
Regarding |
rodneyrehm
added a commit
that referenced
this pull request
Sep 26, 2015
rodneyrehm
added a commit
that referenced
this pull request
Sep 26, 2015
This was referenced Mar 9, 2021
Closed
This was referenced Mar 14, 2021
This was referenced Mar 19, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
RFC 2396 section 2.4.3 puts backslashes (
\) in the "unwise" listof characters that aren't allowed in URIs. However, IE, Opera and Chrome
normalize backslashes to slashes (
/), as noted in Chromium.Since URI.js doesn't do this, it creates possible vulnerabilities. For
example:
This logic will work fine, except when
redirecthas backslashes in thehost, e.g.
In this case, you'll get:
...yet the browsers will redirect you to
which could be a phishing site.
The supplied change simply replaces all backslashes before the query/hash with slashes. This workaround is also in Node.