Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-3664: [fix] Ignore slashes after the protocol for special URLs · unshiftio/url-parse@81ab967

url-parse is vulnerable to URL Redirection to Untrusted Site

CVE
Open in Source
#google#git#pdf

@@ -93,7 +93,7 @@ describe('url-parse’, function () { assume(parse.extractProtocol(‘//foo/bar’)).eql({ slashes: true, protocol: '’, rest: ‘foo/bar’ rest: ‘//foo/bar’ }); });
@@ -283,7 +283,7 @@ describe('url-parse’, function () { assume(parsed.href).equals(‘http://what-is-up.com/’); });
it('does not see a slash after the protocol as path’, function () { it('ignores slashes after the protocol for special URLs’, function () { var url = ‘https:\\/github.com/foo/bar’ , parsed = parse(url);
@@ -292,11 +292,59 @@ describe('url-parse’, function () { assume(parsed.pathname).equals(‘/foo/bar’);
url = 'https:/\\/\\/\\github.com/foo/bar’; parsed = parse(url); assume(parsed.host).equals(‘github.com’); assume(parsed.hostname).equals(‘github.com’); assume(parsed.pathname).equals(‘/foo/bar’);
url = 'https:/github.com/foo/bar’; parsed = parse(url); assume(parsed.host).equals(‘github.com’); assume(parsed.pathname).equals(‘/foo/bar’);
url = 'https:\\github.com/foo/bar’; parsed = parse(url); assume(parsed.host).equals(‘github.com’); assume(parsed.pathname).equals(‘/foo/bar’);
url = 'https:github.com/foo/bar’; parsed = parse(url); assume(parsed.host).equals(‘github.com’); assume(parsed.pathname).equals(‘/foo/bar’);
url = 'https:github.com/foo/bar’; parsed = parse(url); assume(parsed.host).equals(‘github.com’); assume(parsed.pathname).equals(‘/foo/bar’); });
it('handles slashes after the protocol for non special URLs’, function () { var url = ‘foo:example.com’ , parsed = parse(url);
assume(parsed.hostname).equals(‘’); assume(parsed.pathname).equals(‘example.com’); assume(parsed.href).equals(‘foo:example.com’);
url = 'foo:/example.com’; parsed = parse(url); assume(parsed.hostname).equals(‘’); assume(parsed.pathname).equals(‘/example.com’); assume(parsed.href).equals(‘foo:/example.com’);
url = 'foo://example.com’; parsed = parse(url); assume(parsed.hostname).equals(‘example.com’); assume(parsed.pathname).equals(‘/’); assume(parsed.href).equals(‘foo://example.com/’);
url = 'foo:///example.com’; parsed = parse(url); assume(parsed.hostname).equals(‘’); assume(parsed.pathname).equals(‘/example.com’); assume(parsed.href).equals(‘foo:///example.com’); })
describe('origin’, function () { it('generates an origin property’, function () { var url = ‘http://google.com:80/pathname’ @@ -440,7 +488,7 @@ describe('url-parse’, function () { });
it('handles the file: protocol’, function () { var slashes = ['’, '/’, '//’, '///’, '////’, ‘/////’]; var slashes = ['’, '/’, '//’, ‘///’]; var data; var url;
@@ -451,6 +499,18 @@ describe('url-parse’, function () { assume(data.href).equals(‘file:///’); }
url = 'file:////’; data = parse(url); assume(data.protocol).equals(‘file:’); assume(data.pathname).equals(‘//’); assume(data.href).equals(url);
url = 'file://///’; data = parse(url); assume(data.protocol).equals(‘file:’); assume(data.pathname).equals(‘///’); assume(data.href).equals(url);
url = 'file:///Users/foo/BAR/baz.pdf’; data = parse(url); assume(data.protocol).equals(‘file:’);

Related news

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE