Skip to content

Commit

Permalink
Merge tag '4.19.1' into 5.x
Browse files Browse the repository at this point in the history
4.19.1
  • Loading branch information
wesleytodd committed Mar 21, 2024
2 parents e9f9aae + 4f0f6cc commit 60fb1d2
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 5 deletions.
9 changes: 7 additions & 2 deletions History.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
5.x
===

This incorporates all changes after 4.17.2 up to 4.17.3.
This incorporates all changes after 4.17.2 up to 4.19.1.

5.0.0-beta.1 / 2022-02-14
=========================
Expand Down Expand Up @@ -162,7 +162,12 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
* add:
- `app.router` is a reference to the base router

4.18.3 / 2024-03-20
4.19.1 / 2024-03-20
==========

* Allow passing non-strings to res.location with new encoding handling checks

4.19.0 / 2024-03-20
==========

* Prevent open redirect allow list bypass due to encodeurl
Expand Down
2 changes: 1 addition & 1 deletion lib/response.js
Original file line number Diff line number Diff line change
Expand Up @@ -773,7 +773,7 @@ res.cookie = function (name, value, options) {
*/

res.location = function location(url) {
var loc = url;
var loc = String(url);

// "back" is an alias for the referrer
if (url === 'back') {
Expand Down
19 changes: 17 additions & 2 deletions test/res.location.js
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ describe('res', function(){
});

request(app)
.get('/?q=http://google.com\\@apple.com')
.get('/?q=http://google.com' + encodeURIComponent('\\@apple.com'))
.expect(200)
.expect('Location', 'http://google.com\\@apple.com')
.end(function (err) {
Expand All @@ -68,7 +68,7 @@ describe('res', function(){

// This ensures that our protocol check is case insensitive
request(app)
.get('/?q=HTTP://google.com\\@apple.com')
.get('/?q=HTTP://google.com' + encodeURIComponent('\\@apple.com'))
.expect(200)
.expect('Location', 'HTTP://google.com\\@apple.com')
.end(done)
Expand Down Expand Up @@ -145,5 +145,20 @@ describe('res', function(){
.expect(200, done)
})
})

if (typeof URL !== 'undefined') {
it('should accept an instance of URL', function (done) {
var app = express();

app.use(function(req, res){
res.location(new URL('http://google.com/')).end();
});

request(app)
.get('/')
.expect('Location', 'http://google.com/')
.expect(200, done);
});
}
})
})

0 comments on commit 60fb1d2

Please sign in to comment.