1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

http: optimize short path validation

Browse Source 
PR-URL: https://github.com/nodejs/node/pull/10654
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
This commit is contained in:
Brian White 2017-01-06 03:11:38 -05:00
parent 6782577eef
commit 5c2ef14f21
No known key found for this signature in database
GPG Key ID: 606D7358F94DA209
1 changed files with 42 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
lib/_http_client.js
View File

@ -15,6 +15,34 @@ const Agent = require('_http_agent');
const Buffer = require('buffer').Buffer; const Buffer = require('buffer').Buffer;
const urlToOptions = require('internal/url').urlToOptions; const urlToOptions = require('internal/url').urlToOptions;
// The actual list of disallowed characters in regexp form is more like:
// /[^A-Za-z0-9\-._~!$&'()*+,;=/:@]/
// with an additional rule for ignoring percentage-escaped characters, but
// that's a) hard to capture in a regular expression that performs well, and
// b) possibly too restrictive for real-world usage. So instead we restrict the
// filter to just control characters and spaces.
//
// This function is used in the case of small paths, where manual character code
// checks can greatly outperform the equivalent regexp (tested in V8 5.4).
function isInvalidPath(s) {
var i = 0;
if (s.charCodeAt(0) <= 32) return true;
if (++i >= s.length) return false;
if (s.charCodeAt(1) <= 32) return true;
if (++i >= s.length) return false;
if (s.charCodeAt(2) <= 32) return true;
if (++i >= s.length) return false;
if (s.charCodeAt(3) <= 32) return true;
if (++i >= s.length) return false;
if (s.charCodeAt(4) <= 32) return true;
if (++i >= s.length) return false;
if (s.charCodeAt(5) <= 32) return true;
++i;
for (; i < s.length; ++i)
if (s.charCodeAt(i) <= 32) return true;
return false;
}
function ClientRequest(options, cb) { function ClientRequest(options, cb) {
var self = this; var self = this;
OutgoingMessage.call(self); OutgoingMessage.call(self);
@ -45,14 +73,20 @@ function ClientRequest(options, cb) {
if (self.agent && self.agent.protocol) if (self.agent && self.agent.protocol)
expectedProtocol = self.agent.protocol; expectedProtocol = self.agent.protocol;
if (options.path && /[\u0000-\u0020]/.test(options.path)) { var path;
// The actual regex is more like /[^A-Za-z0-9\-._~!$&'()*+,;=/:@]/ if (options.path) {
// with an additional rule for ignoring percentage-escaped characters path = '' + options.path;
// but that's a) hard to capture in a regular expression that performs var invalidPath;
// well, and b) possibly too restrictive for real-world usage. if (path.length <= 39) { // Determined experimentally in V8 5.4
// Restrict the filter to control characters and spaces. invalidPath = isInvalidPath(path);
throw new TypeError('Request path contains unescaped characters'); } else {
} else if (protocol !== expectedProtocol) { invalidPath = /[\u0000-\u0020]/.test(path);
}
if (invalidPath)
throw new TypeError('Request path contains unescaped characters');
}
if (protocol !== expectedProtocol) {
throw new Error('Protocol "' + protocol + '" not supported. ' + throw new Error('Protocol "' + protocol + '" not supported. ' +
'Expected "' + expectedProtocol + '"'); 'Expected "' + expectedProtocol + '"');
} }