From 201034b8670c2aa382d7ec410ee750ac6f2f9c38 Mon Sep 17 00:00:00 2001 From: Arnout Kazemier Date: Sun, 25 Jul 2021 14:43:14 +0200 Subject: [PATCH] [dist] 1.5.2 --- SECURITY.md | 15 +++++++++++++++ package.json | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 31ef5b4..3a97067 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -33,6 +33,19 @@ acknowledge your responsible disclosure, if you wish. ## History +> url-parse mishandles certain use a single of (back) slash such as https:\ & +> https:/ and > interprets the URI as a relative path. Browsers accept a single +> backslash after the protocol, and treat it as a normal slash, while url-parse +> sees it as a relative path. + +- **Reporter credits** + - Ready-Research + - GitHub: [@Ready-Reserach](https://github.com/ready-research) +- Huntr report: https://www.huntr.dev/bounties/1625557993985-unshiftio/url-parse/ +- Fixed in: 1.5.2 + +--- + > Using backslash in the protocol is valid in the browser, while url-parse > thinks it’s a relative path. An application that validates a url using > url-parse might pass a malicious link. @@ -42,6 +55,8 @@ acknowledge your responsible disclosure, if you wish. - Twitter: [Yaniv Nizry](https://twitter.com/ynizry) - Fixed in: 1.5.0 +--- + > The `extractProtocol` method does not return the correct protocol when > provided with unsanitized content which could lead to false positives. diff --git a/package.json b/package.json index 93a6797..3183f73 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "url-parse", - "version": "1.5.1", + "version": "1.5.2", "description": "Small footprint URL parser that works seamlessly across Node.js and browser environments", "main": "index.js", "scripts": {