nodejs/nodejs4
SHA256
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nodejs4/CVE-2018-12123.patch

85 lines
2.6 KiB
Diff
Raw Permalink Normal View History

Backport security fixes from NodeJS 6.x: * debugger: prevent the debugger from listening on 0.0.0.0. It now defaults to 127.0.0.1. CVE-2018-12120.patch - (CVE-2018-12120, bsc#1117625) * http: + Two-byte characters are now strictly disallowed for the path option in HTTP client requests. Paths containing characters outside of the range \u0021 - \u00ff will now be rejected with a TypeError. This behavior can be reverted if necessary by supplying the --security-revert=CVE-2018-12116 command line argument (this is not recommended). CVE-2018-12116.patch - (CVE-2018-12116, bsc#1117630) * util: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. CVE-2018-12123.patch - (CVE-2018-12123, bnc#1117629) OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs4?expand=0&rev=99
2019-01-08 16:04:58 +00:00
Date: Tue Jan 8 13:20:49 CET 2019
Ported patch:
From 9c268d049219462de0792284c504f137751cf198 Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Mon, 10 Sep 2018 12:57:07 +0200
Subject: [PATCH] url: avoid hostname spoofing w/ javascript protocol
CVE-2018-12123
Fixes: https://github.com/nodejs-private/security/issues/205
PR-URL: https://github.com/nodejs-private/node-private/pull/145
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Index: node-v4.9.1/lib/url.js
===================================================================
--- node-v4.9.1.orig/lib/url.js
+++ node-v4.9.1/lib/url.js
@@ -143,13 +143,13 @@ Url.prototype.parse = function(url, pars
// how the browser resolves relative URLs.
if (slashesDenoteHost || proto || rest.match(/^\/\/[^@\/]+@[^@\/]+/)) {
var slashes = rest.substr(0, 2) === '//';
- if (slashes && !(proto && hostlessProtocol[proto])) {
+ if (slashes && !(proto && hostlessProtocol[lowerProto])) {
rest = rest.substr(2);
this.slashes = true;
}
}
- if (!hostlessProtocol[proto] &&
+ if (!hostlessProtocol[lowerProto] &&
(slashes || (proto && !slashedProtocol[proto]))) {
// there's a hostname.
Index: node-v4.9.1/test/parallel/test-url.js
===================================================================
--- node-v4.9.1.orig/test/parallel/test-url.js
+++ node-v4.9.1/test/parallel/test-url.js
@@ -862,8 +862,40 @@ var parseTests = {
pathname: '/:npm/npm',
path: '/:npm/npm',
href: 'git+ssh://git@github.com/:npm/npm'
- }
+ },
+
+ // The following two URLs are the same, but they differ for
+ // a capital A: it is important that we verify that the protocol
+ // is checked in a case-insensitive manner.
+ 'javascript:alert(1);a=\x27@white-listed.com\x27': {
+ protocol: 'javascript:',
+ slashes: null,
+ auth: null,
+ host: null,
+ port: null,
+ hostname: null,
+ hash: null,
+ search: null,
+ query: null,
+ pathname: "alert(1);a='@white-listed.com'",
+ path: "alert(1);a='@white-listed.com'",
+ href: "javascript:alert(1);a='@white-listed.com'"
+ },
+ 'javAscript:alert(1);a=\x27@white-listed.com\x27': {
+ protocol: 'javascript:',
+ slashes: null,
+ auth: null,
+ host: null,
+ port: null,
+ hostname: null,
+ hash: null,
+ search: null,
+ query: null,
+ pathname: "alert(1);a='@white-listed.com'",
+ path: "alert(1);a='@white-listed.com'",
+ href: "javascript:alert(1);a='@white-listed.com'"
+ }
};
for (const u in parseTests) {
Reference in New Issue Copy Permalink