express
Advanced tools
Comparing version 4.19.1 to 4.19.2
@@ -37,3 +37,2 @@ /*! | ||
var vary = require('vary'); | ||
var urlParse = require('url').parse; | ||
@@ -60,2 +59,3 @@ /** | ||
var charsetRegExp = /;\s*charset\s*=/; | ||
var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/; | ||
@@ -910,3 +910,3 @@ /** | ||
res.location = function location(url) { | ||
var loc = String(url); | ||
var loc; | ||
@@ -916,23 +916,14 @@ // "back" is an alias for the referrer | ||
loc = this.req.get('Referrer') || '/'; | ||
} else { | ||
loc = String(url); | ||
} | ||
var lowerLoc = loc.toLowerCase(); | ||
var encodedUrl = encodeUrl(loc); | ||
if (lowerLoc.indexOf('https://') === 0 || lowerLoc.indexOf('http://') === 0) { | ||
try { | ||
var parsedUrl = urlParse(loc); | ||
var parsedEncodedUrl = urlParse(encodedUrl); | ||
// Because this can encode the host, check that we did not change the host | ||
if (parsedUrl.host !== parsedEncodedUrl.host) { | ||
// If the host changes after encodeUrl, return the original url | ||
return this.set('Location', loc); | ||
} | ||
} catch (e) { | ||
// If parse fails, return the original url | ||
return this.set('Location', loc); | ||
} | ||
} | ||
var m = schemaAndHostRegExp.exec(loc); | ||
var pos = m ? m[0].length + 1 : 0; | ||
// set location | ||
return this.set('Location', encodedUrl); | ||
// Only encode after host to avoid invalid encoding which can introduce | ||
// vulnerabilities (e.g. `\\` to `%5C`). | ||
loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos)); | ||
return this.set('Location', loc); | ||
}; | ||
@@ -939,0 +930,0 @@ |
{ | ||
"name": "express", | ||
"description": "Fast, unopinionated, minimalist web framework", | ||
"version": "4.19.1", | ||
"version": "4.19.2", | ||
"author": "TJ Holowaychuk <tj@vision-media.ca>", | ||
@@ -6,0 +6,0 @@ "contributors": [ |
Sorry, the diff of this file is too big to display
214763
3475