Skip to content

Commit

Permalink
http: reject control characters in http.request()
Browse files Browse the repository at this point in the history
Unsanitized paths containing line feed characters can be used for
header injection and request splitting so reject them with an exception.

There seems to be no reasonable use case for allowing control characters
(characters <= 31) while there are several scenarios where they can be
used to exploit software bugs so reject control characters altogether.

PR-URL: #8923
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: not-an-aardvark <not-an-aardvark@users.noreply.github.com>
  • Loading branch information
bnoordhuis authored and MylesBorins committed Mar 9, 2017
1 parent 4ce9bfb commit 15231aa
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 8 deletions.
2 changes: 1 addition & 1 deletion lib/_http_client.js
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ function ClientRequest(options, cb) {
if (self.agent && self.agent.protocol)
expectedProtocol = self.agent.protocol;

if (options.path && / /.test(options.path)) {
if (options.path && /[\u0000-\u0020]/.test(options.path)) {
// The actual regex is more like /[^A-Za-z0-9\-._~!$&'()*+,;=/:@]/
// with an additional rule for ignoring percentage-escaped characters
// but that's a) hard to capture in a regular expression that performs
Expand Down
19 changes: 12 additions & 7 deletions test/parallel/test-http-client-unescaped-path.js
Original file line number Diff line number Diff line change
@@ -1,9 +1,14 @@
'use strict';
var common = require('../common');
var assert = require('assert');
var http = require('http');
const common = require('../common');
const assert = require('assert');
const http = require('http');

assert.throws(function() {
// Path with spaces in it should throw.
http.get({ path: 'bad path' }, common.fail);
}, /contains unescaped characters/);
function* bad() {
for (let i = 0; i <= 32; i += 1)
yield 'bad' + String.fromCharCode(i) + 'path';
}

for (const path of bad()) {
assert.throws(() => http.get({ path }, common.fail),
/contains unescaped characters/);
}

0 comments on commit 15231aa

Please sign in to comment.