New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle backslashes like Node.js and Chrome #233

Merged

rodneyrehm merged 1 commit into medialize:master from kara-ryli:backslashes

Jul 24, 2015

Commits on Jul 23, 2015

Handle backslashes like Node.js and Chrome

[RFC 2396][] section 2.4.3 puts backslashes (`\`) in the "unwise" list
of characters that aren't allowed in URIs. However, IE, Opera and Chrome
normalize backslashes to slashes (`/`), as noted in [Chromium][].

Since URI.js doesn't do this, it creates possible vulnerabilities. For
example:

```js
var page = URI(window.location.href);
var redirect = URI(page.search(true).redirect_uri);
if (page.domain() === redirect.domain()) {
  window.location = redirect.href();
}
```

This logic will work fine, except when `redirect` has backslashes in the
host, e.g.

```
http://i.xss.com\www.example.org/foo
```

In this case, you'll get:

```js
URI("http://www.example.org").domain();
// example.org
URI("http://i.xss.com\\www.example.org/foo").domain();
// example.org
```

...yet the browsers will redirect you to

```
http://i.xss.com/www.example.org/foo
```

which could be a phishing site.

The supplied change simply replaces all backslashes before the query/hash with slashes. This workaround is also in [Node][Node].

[RFC 2396]: https://www.ietf.org/rfc/rfc2396.txt
[Chromium]: https://code.google.com/p/chromium/issues/detail?id=25916
[Node]: https://github.com/joyent/node/blob/386fd24f49b0e9d1a8a076592a404168faeecc34/lib/url.js#L115-L124

kara-ryli committed Jul 23, 2015