Adam Majer
3f386ef218
* debugger: prevent the debugger from listening on 0.0.0.0.
It now defaults to 127.0.0.1.
CVE-2018-12120.patch - (CVE-2018-12120, bsc#1117625)
* http:
+ Two-byte characters are now strictly disallowed for the path
option in HTTP client requests. Paths containing characters
outside of the range \u0021 - \u00ff will now be rejected
with a TypeError. This behavior can be reverted if necessary
by supplying the --security-revert=CVE-2018-12116 command
line argument (this is not recommended).
CVE-2018-12116.patch - (CVE-2018-12116, bsc#1117630)
* util: Fix a bug that would allow a hostname being spoofed when
parsing URLs with url.parse() with the 'javascript:' protocol.
CVE-2018-12123.patch - (CVE-2018-12123, bnc#1117629)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs4?expand=0&rev=99
85 lines
2.6 KiB
Diff
85 lines
2.6 KiB
Diff
Date: Tue Jan 8 13:20:49 CET 2019
|
|
|
|
Ported patch:
|
|
|
|
From 9c268d049219462de0792284c504f137751cf198 Mon Sep 17 00:00:00 2001
|
|
From: Matteo Collina <hello@matteocollina.com>
|
|
Date: Mon, 10 Sep 2018 12:57:07 +0200
|
|
Subject: [PATCH] url: avoid hostname spoofing w/ javascript protocol
|
|
|
|
CVE-2018-12123
|
|
|
|
Fixes: https://github.com/nodejs-private/security/issues/205
|
|
PR-URL: https://github.com/nodejs-private/node-private/pull/145
|
|
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
|
|
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
|
|
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
|
|
|
|
Index: node-v4.9.1/lib/url.js
|
|
===================================================================
|
|
--- node-v4.9.1.orig/lib/url.js
|
|
+++ node-v4.9.1/lib/url.js
|
|
@@ -143,13 +143,13 @@ Url.prototype.parse = function(url, pars
|
|
// how the browser resolves relative URLs.
|
|
if (slashesDenoteHost || proto || rest.match(/^\/\/[^@\/]+@[^@\/]+/)) {
|
|
var slashes = rest.substr(0, 2) === '//';
|
|
- if (slashes && !(proto && hostlessProtocol[proto])) {
|
|
+ if (slashes && !(proto && hostlessProtocol[lowerProto])) {
|
|
rest = rest.substr(2);
|
|
this.slashes = true;
|
|
}
|
|
}
|
|
|
|
- if (!hostlessProtocol[proto] &&
|
|
+ if (!hostlessProtocol[lowerProto] &&
|
|
(slashes || (proto && !slashedProtocol[proto]))) {
|
|
|
|
// there's a hostname.
|
|
Index: node-v4.9.1/test/parallel/test-url.js
|
|
===================================================================
|
|
--- node-v4.9.1.orig/test/parallel/test-url.js
|
|
+++ node-v4.9.1/test/parallel/test-url.js
|
|
@@ -862,8 +862,40 @@ var parseTests = {
|
|
pathname: '/:npm/npm',
|
|
path: '/:npm/npm',
|
|
href: 'git+ssh://git@github.com/:npm/npm'
|
|
- }
|
|
+ },
|
|
+
|
|
+ // The following two URLs are the same, but they differ for
|
|
+ // a capital A: it is important that we verify that the protocol
|
|
+ // is checked in a case-insensitive manner.
|
|
+ 'javascript:alert(1);a=\x27@white-listed.com\x27': {
|
|
+ protocol: 'javascript:',
|
|
+ slashes: null,
|
|
+ auth: null,
|
|
+ host: null,
|
|
+ port: null,
|
|
+ hostname: null,
|
|
+ hash: null,
|
|
+ search: null,
|
|
+ query: null,
|
|
+ pathname: "alert(1);a='@white-listed.com'",
|
|
+ path: "alert(1);a='@white-listed.com'",
|
|
+ href: "javascript:alert(1);a='@white-listed.com'"
|
|
+ },
|
|
|
|
+ 'javAscript:alert(1);a=\x27@white-listed.com\x27': {
|
|
+ protocol: 'javascript:',
|
|
+ slashes: null,
|
|
+ auth: null,
|
|
+ host: null,
|
|
+ port: null,
|
|
+ hostname: null,
|
|
+ hash: null,
|
|
+ search: null,
|
|
+ query: null,
|
|
+ pathname: "alert(1);a='@white-listed.com'",
|
|
+ path: "alert(1);a='@white-listed.com'",
|
|
+ href: "javascript:alert(1);a='@white-listed.com'"
|
|
+ }
|
|
};
|
|
|
|
for (const u in parseTests) {
|