url: disallow invalid IPv4 in IPv6 parser

watilde · evanlucas · commit 29531d2654de · 2017-05-01T11:16:07.000-05:00
PR-URL: #12507 Fixes: #10655 Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/src/node_url.cc b/src/node_url.cc
@@ -110,7 +110,7 @@ namespace url {
     uint16_t* compress_pointer = nullptr;
     const char* pointer = input;
     const char* end = pointer + length;
-    unsigned value, len, swaps, dots;
+    unsigned value, len, swaps, numbers_seen;
     char ch = pointer < end ? pointer[0] : kEOL;
     if (ch == ':') {
       if (length < 2 || pointer[1] != ':')
@@ -148,9 +148,17 @@ namespace url {
           ch = pointer < end ? pointer[0] : kEOL;
           if (piece_pointer > last_piece - 2)
             goto end;
-          dots = 0;
+          numbers_seen = 0;
           while (ch != kEOL) {
             value = 0xffffffff;
+            if (numbers_seen > 0) {
+              if (ch == '.' && numbers_seen < 4) {
+                pointer++;
+                ch = pointer < end ? pointer[0] : kEOL;
+              } else {
+                goto end;
+              }
+            }
             if (!ASCII_DIGIT(ch))
               goto end;
             while (ASCII_DIGIT(ch)) {
@@ -167,19 +175,13 @@ namespace url {
               pointer++;
               ch = pointer < end ? pointer[0] : kEOL;
             }
-            if (dots < 3 && ch != '.')
-              goto end;
             *piece_pointer = *piece_pointer * 0x100 + value;
-            if (dots & 0x1)
+            numbers_seen++;
+            if (numbers_seen == 2 || numbers_seen == 4)
               piece_pointer++;
-            if (ch != kEOL) {
-              pointer++;
-              ch = pointer < end ? pointer[0] : kEOL;
-            }
-            if (dots == 3 && ch != kEOL)
-              goto end;
-            dots++;
           }
+          if (numbers_seen != 4)
+            goto end;
           continue;
         case ':':
           pointer++;
diff --git a/test/fixtures/url-setter-tests.js b/test/fixtures/url-setter-tests.js
@@ -880,42 +880,42 @@ module.exports =
                 "hostname": "example.net"
             }
         },
-        // {
-        //     "href": "http://example.net/",
-        //     "new_value": "[::1.2.3.4x]",
-        //     "expected": {
-        //         "href": "http://example.net/",
-        //         "host": "example.net",
-        //         "hostname": "example.net"
-        //     }
-        // },
-        // {
-        //     "href": "http://example.net/",
-        //     "new_value": "[::1.2.3.]",
-        //     "expected": {
-        //         "href": "http://example.net/",
-        //         "host": "example.net",
-        //         "hostname": "example.net"
-        //     }
-        // },
-        // {
-        //     "href": "http://example.net/",
-        //     "new_value": "[::1.2.]",
-        //     "expected": {
-        //         "href": "http://example.net/",
-        //         "host": "example.net",
-        //         "hostname": "example.net"
-        //     }
-        // },
-        // {
-        //     "href": "http://example.net/",
-        //     "new_value": "[::1.]",
-        //     "expected": {
-        //         "href": "http://example.net/",
-        //         "host": "example.net",
-        //         "hostname": "example.net"
-        //     }
-        // },
+        {
+            "href": "http://example.net/",
+            "new_value": "[::1.2.3.4x]",
+            "expected": {
+                "href": "http://example.net/",
+                "host": "example.net",
+                "hostname": "example.net"
+            }
+        },
+        {
+            "href": "http://example.net/",
+            "new_value": "[::1.2.3.]",
+            "expected": {
+                "href": "http://example.net/",
+                "host": "example.net",
+                "hostname": "example.net"
+            }
+        },
+        {
+            "href": "http://example.net/",
+            "new_value": "[::1.2.]",
+            "expected": {
+                "href": "http://example.net/",
+                "host": "example.net",
+                "hostname": "example.net"
+            }
+        },
+        {
+            "href": "http://example.net/",
+            "new_value": "[::1.]",
+            "expected": {
+                "href": "http://example.net/",
+                "host": "example.net",
+                "hostname": "example.net"
+            }
+        },
         // {
         //     "href": "file://y/",
         //     "new_value": "x:123",
@@ -1214,42 +1214,42 @@ module.exports =
                 "hostname": "example.net"
             }
         },
-        // {
-        //     "href": "http://example.net/",
-        //     "new_value": "[::1.2.3.4x]",
-        //     "expected": {
-        //         "href": "http://example.net/",
-        //         "host": "example.net",
-        //         "hostname": "example.net"
-        //     }
-        // },
-        // {
-        //     "href": "http://example.net/",
-        //     "new_value": "[::1.2.3.]",
-        //     "expected": {
-        //         "href": "http://example.net/",
-        //         "host": "example.net",
-        //         "hostname": "example.net"
-        //     }
-        // },
-        // {
-        //     "href": "http://example.net/",
-        //     "new_value": "[::1.2.]",
-        //     "expected": {
-        //         "href": "http://example.net/",
-        //         "host": "example.net",
-        //         "hostname": "example.net"
-        //     }
-        // },
-        // {
-        //     "href": "http://example.net/",
-        //     "new_value": "[::1.]",
-        //     "expected": {
-        //         "href": "http://example.net/",
-        //         "host": "example.net",
-        //         "hostname": "example.net"
-        //     }
-        // },
+        {
+            "href": "http://example.net/",
+            "new_value": "[::1.2.3.4x]",
+            "expected": {
+                "href": "http://example.net/",
+                "host": "example.net",
+                "hostname": "example.net"
+            }
+        },
+        {
+            "href": "http://example.net/",
+            "new_value": "[::1.2.3.]",
+            "expected": {
+                "href": "http://example.net/",
+                "host": "example.net",
+                "hostname": "example.net"
+            }
+        },
+        {
+            "href": "http://example.net/",
+            "new_value": "[::1.2.]",
+            "expected": {
+                "href": "http://example.net/",
+                "host": "example.net",
+                "hostname": "example.net"
+            }
+        },
+        {
+            "href": "http://example.net/",
+            "new_value": "[::1.]",
+            "expected": {
+                "href": "http://example.net/",
+                "host": "example.net",
+                "hostname": "example.net"
+            }
+        },
         // {
         //     "href": "file://y/",
         //     "new_value": "x:123",
diff --git a/test/fixtures/url-tests.js b/test/fixtures/url-tests.js
@@ -3800,26 +3800,26 @@ module.exports =
     "base": "http://other.com/",
     "failure": true
   },
-  // {
-  //   "input": "http://[::1.2.3.4x]",
-  //   "base": "http://other.com/",
-  //   "failure": true
-  // },
-  // {
-  //   "input": "http://[::1.2.3.]",
-  //   "base": "http://other.com/",
-  //   "failure": true
-  // },
-  // {
-  //   "input": "http://[::1.2.]",
-  //   "base": "http://other.com/",
-  //   "failure": true
-  // },
-  // {
-  //   "input": "http://[::1.]",
-  //   "base": "http://other.com/",
-  //   "failure": true
-  // },
+  {
+    "input": "http://[::1.2.3.4x]",
+    "base": "http://other.com/",
+    "failure": true
+  },
+  {
+    "input": "http://[::1.2.3.]",
+    "base": "http://other.com/",
+    "failure": true
+  },
+  {
+    "input": "http://[::1.2.]",
+    "base": "http://other.com/",
+    "failure": true
+  },
+  {
+    "input": "http://[::1.]",
+    "base": "http://other.com/",
+    "failure": true
+  },
   "Misc Unicode",
   {
     "input": "http://foo:💩@example.com/bar",
