url: improve port validation#45012
Merged
nodejs-github-bot merged 3 commits intonodejs:mainfrom Oct 17, 2022
Merged
Conversation
nodejs-github-bot
added
needs-ci
github-actions
bot
removed
the
request-ci
Collaborator
Member
Author
|
As with #45011, this could be considered a semver-major breaking change, but we may want to consider this is a bugfix instead. Out of caution, though, we should run CITGM. We should also definitely make sure that |
RafaelGSS
approved these changes
Oct 15, 2022
anonrig
requested changes
Oct 15, 2022
If a port is not a number, throw rather than treating the `:` that delineates the port as part of the path. This is consistent with WHATWG URL and also mitigates hostname-spoofing. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss).
anonrig
approved these changes
Oct 15, 2022
github-actions
bot
removed
the
request-ci
Collaborator
Member
Author
|
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/3019/ (It will 404 until job 3018 finishes, though.) |
aduh95
approved these changes
Oct 15, 2022
jasnell
approved these changes
Oct 15, 2022
Member
Author
|
CITGM results look good to me |
Trott
added
the
author ready
anonrig
added
the
commit-queue
nodejs-github-bot
removed
the
commit-queue
Collaborator
|
Landed in 5f7730e |
RafaelGSS
pushed a commit
that referenced
this pull request
Nov 1, 2022
If a port is not a number, throw rather than treating the `:` that delineates the port as part of the path. This is consistent with WHATWG URL and also mitigates hostname-spoofing. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss). PR-URL: #45012 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Merged
RafaelGSS
pushed a commit
that referenced
this pull request
Nov 10, 2022
If a port is not a number, throw rather than treating the `:` that delineates the port as part of the path. This is consistent with WHATWG URL and also mitigates hostname-spoofing. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss). PR-URL: #45012 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
3 tasks
Member
This ended up breaking |
This was referenced Nov 19, 2022
Trott
added
baking-for-lts
Trott
added a commit
to Trott/io.js
that referenced
this pull request
Nov 19, 2022
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: nodejs#45514 Refs: nodejs#45012
richardlau
removed
the
baking-for-lts
Member
|
Given the ecosystem breakage I can't see how this can land in LTS so I've removed the |
nodejs-github-bot
pushed a commit
that referenced
this pull request
Nov 19, 2022
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: #45514 Refs: #45012 PR-URL: #45517 Fixes: #45514 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
ruyadorno
pushed a commit
that referenced
this pull request
Nov 21, 2022
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: #45514 Refs: #45012 PR-URL: #45517 Fixes: #45514 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
marco-ippolito
pushed a commit
to marco-ippolito/node
that referenced
this pull request
Nov 23, 2022
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: nodejs#45514 Refs: nodejs#45012 PR-URL: nodejs#45517 Fixes: nodejs#45514 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If a port is not a number, throw rather than treating the
:that delineates the port as part of the path. This is consistent with WHATWG URL and also mitigates hostname-spoofing.Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss (pyozzi@toss.im/Security-Tech Team in Toss).