Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitda4d763

Browse files
wesleytoddjonchurchblakeembrey
committed
Improved fix for open redirect allow list bypass
Co-authored-by: Jon Church <me@jonchurch.com>Co-authored-by: Blake Embrey <hello@blakeembrey.com>
1 parent4f0f6cc commitda4d763

File tree

3 files changed

+280
-63
lines changed

3 files changed

+280
-63
lines changed

‎History.md‎

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
unreleased
2+
==========
3+
4+
* Improved fix for open redirect allow list bypass
5+
16
4.19.1 / 2024-03-20
27
==========
38

‎lib/response.js‎

Lines changed: 11 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,6 @@ var extname = path.extname;
3434
varmime=send.mime;
3535
varresolve=path.resolve;
3636
varvary=require('vary');
37-
varurlParse=require('url').parse;
3837

3938
/**
4039
* Response prototype.
@@ -56,6 +55,7 @@ module.exports = res
5655
*/
5756

5857
varcharsetRegExp=/;\s*charset\s*=/;
58+
varschemaAndHostRegExp=/^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/;
5959

6060
/**
6161
* Set status `code`.
@@ -905,32 +905,23 @@ res.cookie = function (name, value, options) {
905905
*/
906906

907907
res.location=functionlocation(url){
908-
varloc=String(url);
908+
varloc;
909909

910910
// "back" is an alias for the referrer
911911
if(url==='back'){
912912
loc=this.req.get('Referrer')||'/';
913+
}else{
914+
loc=String(url);
913915
}
914916

915-
varlowerLoc=loc.toLowerCase();
916-
varencodedUrl=encodeUrl(loc);
917-
if(lowerLoc.indexOf('https://')===0||lowerLoc.indexOf('http://')===0){
918-
try{
919-
varparsedUrl=urlParse(loc);
920-
varparsedEncodedUrl=urlParse(encodedUrl);
921-
// Because this can encode the host, check that we did not change the host
922-
if(parsedUrl.host!==parsedEncodedUrl.host){
923-
// If the host changes after encodeUrl, return the original url
924-
returnthis.set('Location',loc);
925-
}
926-
}catch(e){
927-
// If parse fails, return the original url
928-
returnthis.set('Location',loc);
929-
}
930-
}
917+
varm=schemaAndHostRegExp.exec(loc);
918+
varpos=m ?m[0].length+1 :0;
919+
920+
// Only encode after host to avoid invalid encoding which can introduce
921+
// vulnerabilities (e.g. `\\` to `%5C`).
922+
loc=loc.slice(0,pos)+encodeUrl(loc.slice(pos));
931923

932-
// set location
933-
returnthis.set('Location',encodedUrl);
924+
returnthis.set('Location',loc);
934925
};
935926

936927
/**

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp