Skip to content

Commit

Permalink
Merge tag '4.19.2' into 5.0
Browse files Browse the repository at this point in the history
4.19.2
  • Loading branch information
wesleytodd committed Mar 25, 2024
2 parents 416ba02 + 04bc627 commit 6415f70
Show file tree
Hide file tree
Showing 3 changed files with 287 additions and 64 deletions.
7 changes: 6 additions & 1 deletion History.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
5.x
===

This incorporates all changes after 4.17.2 up to 4.19.1.
This incorporates all changes after 4.17.2 up to 4.19.2.

5.0.0-beta.1 / 2022-02-14
=========================
Expand Down Expand Up @@ -162,6 +162,11 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
* add:
- `app.router` is a reference to the base router

4.19.2 / 2024-03-25
==========

* Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20
==========

Expand Down
37 changes: 17 additions & 20 deletions lib/response.js
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ var send = require('send');
var extname = path.extname;
var resolve = path.resolve;
var vary = require('vary');
var urlParse = require('url').parse;

/**
* Response prototype.
Expand All @@ -50,6 +49,13 @@ var res = Object.create(http.ServerResponse.prototype)

module.exports = res

/**
* Module variables.
* @private
*/

var schemaAndHostRegExp = /^(?:[a-zA-Z][a-zA-Z0-9+.-]*:)?\/\/[^\\\/\?]+/;

/**
* Set status `code`.
*
Expand Down Expand Up @@ -773,32 +779,23 @@ res.cookie = function (name, value, options) {
*/

res.location = function location(url) {
var loc = String(url);
var loc;

// "back" is an alias for the referrer
if (url === 'back') {
loc = this.req.get('Referrer') || '/';
} else {
loc = String(url);
}

var lowerLoc = loc.toLowerCase();
var encodedUrl = encodeUrl(loc);
if (lowerLoc.indexOf('https://') === 0 || lowerLoc.indexOf('http://') === 0) {
try {
var parsedUrl = urlParse(loc);
var parsedEncodedUrl = urlParse(encodedUrl);
// Because this can encode the host, check that we did not change the host
if (parsedUrl.host !== parsedEncodedUrl.host) {
// If the host changes after encodeUrl, return the original url
return this.set('Location', loc);
}
} catch (e) {
// If parse fails, return the original url
return this.set('Location', loc);
}
}
var m = schemaAndHostRegExp.exec(loc);
var pos = m ? m[0].length + 1 : 0;

// Only encode after host to avoid invalid encoding which can introduce
// vulnerabilities (e.g. `\\` to `%5C`).
loc = loc.slice(0, pos) + encodeUrl(loc.slice(pos));

// set location
return this.set('Location', encodedUrl);
return this.set('Location', loc);
};

/**
Expand Down
Loading

0 comments on commit 6415f70

Please sign in to comment.