url: improve port validation#45012
Merged
url: improve port validation #45012
Uh oh!
There was an error while loading. Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
nodejs-github-bot added needs-ci 
github-actionsbot removed the request-ci 
Collaborator
nodejs-github-bot commented Oct 15, 2022
MemberAuthor
Trott commented Oct 15, 2022
As with #45011, this could be considered a semver-major breaking change, but we may want to consider this is a bugfix instead. Out of caution, though, we should run CITGM. We should also definitely make sure that |
RafaelGSS approved these changes Oct 15, 2022
anonrig requested changes Oct 15, 2022
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
If a port is not a number, throw rather than treating the `:` that delineates the port as part of the path. This is consistent with WHATWG URL and also mitigates hostname-spoofing. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss ([email protected]/Security-Tech Team in Toss).
anonrig approved these changes Oct 15, 2022
github-actionsbot removed the request-ci Collaborator
nodejs-github-bot commented Oct 15, 2022
MemberAuthor
CITGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/3019/ (It will 404 until job 3018 finishes, though.) |
aduh95 approved these changes Oct 15, 2022
jasnell approved these changes Oct 15, 2022
MemberAuthor
Trott commented Oct 15, 2022
CITGM results look good to me |
Trott added the author ready 
anonrig added the commit-queue nodejs-github-bot removed the commit-queue Collaborator
nodejs-github-bot commented Oct 17, 2022
Landed in 5f7730e |
RafaelGSS pushed a commit that referenced this pull request Nov 1, 2022
If a port is not a number, throw rather than treating the `:` that delineates the port as part of the path. This is consistent with WHATWG URL and also mitigates hostname-spoofing. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss ([email protected]/Security-Tech Team in Toss). PR-URL: #45012 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: James M Snell <[email protected]>
Merged
RafaelGSS pushed a commit that referenced this pull request Nov 10, 2022
If a port is not a number, throw rather than treating the `:` that delineates the port as part of the path. This is consistent with WHATWG URL and also mitigates hostname-spoofing. Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss ([email protected]/Security-Tech Team in Toss). PR-URL: #45012 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: James M Snell <[email protected]>
3 tasks
Member
This ended up breaking |
This was referenced Nov 19, 2022
Trott added baking-for-lts Trott added a commit to Trott/io.js that referenced this pull request Nov 19, 2022
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: nodejs#45514 Refs: nodejs#45012
richardlau removed the baking-for-lts 
Member
richardlau commented Nov 19, 2022
Given the ecosystem breakage I can't see how this can land in LTS so I've removed the |
nodejs-github-bot pushed a commit that referenced this pull request Nov 19, 2022
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: #45514 Refs: #45012 PR-URL: #45517Fixes: #45514 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
ruyadorno pushed a commit that referenced this pull request Nov 21, 2022
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: #45514 Refs: #45012 PR-URL: #45517Fixes: #45514 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
marco-ippolito pushed a commit to marco-ippolito/node that referenced this pull request Nov 23, 2022
This reverts commit 5f7730e. This change broke too many edge cases in the ecosystem. Reverting it re-introduces some host-spoofing possibilities, so we won't want to revert forever, but the issue is long-lived enough and not sufficiently critical that we can't wait for a major release to introduce it as a breaking change. After this lands, I plan to re-introduce this as a change that throws a warning rather than an error, after which we can land a semver-major that re-introduces the error and try to get the word out to maintainers of likely-affected packages. Closes: nodejs#45514 Refs: nodejs#45012 PR-URL: nodejs#45517Fixes: nodejs#45514 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
3 tasks
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If a port is not a number, throw rather than treating the
:that delineates the port as part of the path. This is consistent with WHATWG URL and also mitigates hostname-spoofing.Concerns about hostname-spoofing were raised and presented in excellent detail by pyozzi-toss ([email protected]/Security-Tech Team in Toss).