url: forbid pipe in URL host

RaisinTen · MylesBorins · commit 570fbcef93e3 · 2021-04-04T15:22:54.000-04:00
Fixes: #37862 PR-URL: #37877 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
diff --git a/src/node_url.cc b/src/node_url.cc
@@ -208,7 +208,7 @@ CHAR_TEST(8, IsForbiddenHostCodePoint,
           ch == ' ' || ch == '#' || ch == '%' || ch == '/' ||
           ch == ':' || ch == '?' || ch == '@' || ch == '[' ||
           ch == '<' || ch == '>' || ch == '\\' || ch == ']' ||
-          ch == '^')
+          ch == '^' || ch == '|')
 
 // https://url.spec.whatwg.org/#windows-drive-letter
 TWO_CHAR_STRING_TEST(8, IsWindowsDriveLetter,
diff --git a/test/cctest/test_url.cc b/test/cctest/test_url.cc
@@ -44,6 +44,11 @@ TEST_F(URLTest, Simple2) {
   EXPECT_EQ(simple.fragment(), "fragment");
 }
 
+TEST_F(URLTest, ForbiddenHostCodePoint) {
+  URL error("https://exa|mple.org:81/a/b/c?query#fragment");
+  EXPECT_TRUE(error.flags() & URL_FLAGS_FAILED);
+}
+
 TEST_F(URLTest, NoBase1) {
   URL error("123noscheme");
   EXPECT_TRUE(error.flags() & URL_FLAGS_FAILED);
diff --git a/test/fixtures/wpt/README.md b/test/fixtures/wpt/README.md
@@ -21,7 +21,7 @@ Last update:
 - html/webappapis/timers: https://github.com/web-platform-tests/wpt/tree/5873f2d8f1/html/webappapis/timers
 - interfaces: https://github.com/web-platform-tests/wpt/tree/79fa4cf76e/interfaces
 - resources: https://github.com/web-platform-tests/wpt/tree/972ca5b669/resources
-- url: https://github.com/web-platform-tests/wpt/tree/33f2e3f2e7/url
+- url: https://github.com/web-platform-tests/wpt/tree/5eebfdb1f6/url
 
 [Web Platform Tests]: https://github.com/web-platform-tests/wpt
 [`git node wpt`]: https://github.com/nodejs/node-core-utils/blob/master/docs/git-node.md#git-node-wpt
diff --git a/test/fixtures/wpt/url/resources/urltestdata.json b/test/fixtures/wpt/url/resources/urltestdata.json
@@ -4682,30 +4682,30 @@
   },
   "Allowed host code points",
   {
-    "input": "http://\u001F!\"$&'()*+,-.;=_`{|}~/",
+    "input": "http://\u001F!\"$&'()*+,-.;=_`{}~/",
     "base": "about:blank",
-    "href": "http://\u001F!\"$&'()*+,-.;=_`{|}~/",
-    "origin": "http://\u001F!\"$&'()*+,-.;=_`{|}~",
+    "href": "http://\u001F!\"$&'()*+,-.;=_`{}~/",
+    "origin": "http://\u001F!\"$&'()*+,-.;=_`{}~",
     "protocol": "http:",
     "username": "",
     "password": "",
-    "host": "\u001F!\"$&'()*+,-.;=_`{|}~",
-    "hostname": "\u001F!\"$&'()*+,-.;=_`{|}~",
+    "host": "\u001F!\"$&'()*+,-.;=_`{}~",
+    "hostname": "\u001F!\"$&'()*+,-.;=_`{}~",
     "port": "",
     "pathname": "/",
     "search": "",
     "hash": ""
   },
   {
-    "input": "sc://\u001F!\"$&'()*+,-.;=_`{|}~/",
+    "input": "sc://\u001F!\"$&'()*+,-.;=_`{}~/",
     "base": "about:blank",
-    "href": "sc://%1F!\"$&'()*+,-.;=_`{|}~/",
+    "href": "sc://%1F!\"$&'()*+,-.;=_`{}~/",
     "origin": "null",
     "protocol": "sc:",
     "username": "",
     "password": "",
-    "host": "%1F!\"$&'()*+,-.;=_`{|}~",
-    "hostname": "%1F!\"$&'()*+,-.;=_`{|}~",
+    "host": "%1F!\"$&'()*+,-.;=_`{}~",
+    "hostname": "%1F!\"$&'()*+,-.;=_`{}~",
     "port": "",
     "pathname": "/",
     "search": "",
@@ -5202,6 +5202,56 @@
     "search": "",
     "hash": ""
   },
+  {
+    "input": "file://%43%3A",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43%7C",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43|",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://C%7C",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "file://%43%7C/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "https://%43%7C/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "asdf://%43|/",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "asdf://%43%7C/",
+    "base": "about:blank",
+    "href": "asdf://%43%7C/",
+    "origin": "null",
+    "protocol": "asdf:",
+    "username": "",
+    "password": "",
+    "host": "%43%7C",
+    "hostname": "%43%7C",
+    "port": "",
+    "pathname": "/",
+    "search": "",
+    "hash": ""
+  },
   "# file URLs relative to other file URLs (via https://github.com/jsdom/whatwg-url/pull/60)",
   {
     "input": "pix/submit.gif",
diff --git a/test/fixtures/wpt/versions.json b/test/fixtures/wpt/versions.json
@@ -44,7 +44,7 @@
     "path": "resources"
   },
   "url": {
-    "commit": "33f2e3f2e759bd51ebf8e4b9a01b067bc8281c5c",
+    "commit": "5eebfdb1f68059549b3efff380dd190bc6078266",
     "path": "url"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@`
`44`	`44`	`"path": "resources"`
`45`	`45`	`},`
`46`	`46`	`"url": {`
`47`		`- "commit": "33f2e3f2e759bd51ebf8e4b9a01b067bc8281c5c",`
	`47`	`+ "commit": "5eebfdb1f68059549b3efff380dd190bc6078266",`
`48`	`48`	`"path": "url"`
`49`	`49`	`}`
`50`	`50`	`}`