express
Advanced tools
Comparing version 5.0.0-beta.2 to 5.0.0-beta.3
@@ -37,3 +37,2 @@ /*! | ||
var vary = require('vary'); | ||
var urlParse = require('url').parse; | ||
@@ -55,2 +54,9 @@ /** | ||
/** | ||
* Module variables. | ||
* @private | ||
*/ | ||
var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/; | ||
/** | ||
* Set status `code`. | ||
@@ -778,3 +784,3 @@ * | ||
res.location = function location(url) { | ||
var loc = String(url); | ||
var loc; | ||
@@ -784,23 +790,14 @@ // "back" is an alias for the referrer | ||
loc = this.req.get('Referrer') || '/'; | ||
} else { | ||
loc = String(url); | ||
} | ||
var lowerLoc = loc.toLowerCase(); | ||
var encodedUrl = encodeUrl(loc); | ||
if (lowerLoc.indexOf('https://') === 0 || lowerLoc.indexOf('http://') === 0) { | ||
try { | ||
var parsedUrl = urlParse(loc); | ||
var parsedEncodedUrl = urlParse(encodedUrl); | ||
// Because this can encode the host, check that we did not change the host | ||
if (parsedUrl.host !== parsedEncodedUrl.host) { | ||
// If the host changes after encodeUrl, return the original url | ||
return this.set('Location', loc); | ||
} | ||
} catch (e) { | ||
// If parse fails, return the original url | ||
return this.set('Location', loc); | ||
} | ||
} | ||
var m = schemaAndHostRegExp.exec(loc); | ||
var pos = m ? m[0].length + 1 : 0; | ||
// set location | ||
return this.set('Location', encodedUrl); | ||
// Only encode after host to avoid invalid encoding which can introduce | ||
// vulnerabilities (e.g. `\\` to `%5C`). | ||
loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos)); | ||
return this.set('Location', loc); | ||
}; | ||
@@ -807,0 +804,0 @@ |
{ | ||
"name": "express", | ||
"description": "Fast, unopinionated, minimalist web framework", | ||
"version": "5.0.0-beta.2", | ||
"version": "5.0.0-beta.3", | ||
"author": "TJ Holowaychuk <tj@vision-media.ca>", | ||
@@ -6,0 +6,0 @@ "contributors": [ |
Sorry, the diff of this file is too big to display
2
189311
2325