- From: Benjamin Gruenbaum <notifications@github.com>
- Date: Mon, 26 Mar 2018 00:54:28 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 26 March 2018 07:54:53 UTC
Following discussion from https://github.com/nodejs/node/issues/19595 cc @annevk @nodeav
At the moment `URL`s convert ports passed as numbers to strings in order to get the port number (specified in https://url.spec.whatwg.org/#port-state ). This is like the `parseInt` algorithm in that it ignores things after the first dot - which enables the following behavior:
```js
var port = readPort(); // attacker returns 30 ** 30, , which gets coerced to 2.05891132094649e+44
// our validation: don't allow opening a connection to a lower-than 1024 port to the server.
if (typeof port !== 'number' || port < 1024) {
return false;
}
serverUrl.port = port; // port set to 2
download(serverUrl); // user connected to port we didn't mean them to be able to connect to
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/377
Received on Monday, 26 March 2018 07:54:53 UTC