url: change hostname regex to negate invalid chars

Regarding joyent/node#8520 This changes hostname validation from a whitelist regex approach to a blacklist regex approach as described in https://url.spec.whatwg.org/#host-parsing. url.parse misinterpreted `https://good.com+.evil.org/` as `https://good.com/+.evil.org/`. If we use url.parse to check the validity of the hostname, the test passes, but in the browser the user is redirected to the evil.org website.
author: Jonathan Johnson <me@jondavidjohn.com> 2014-11-26 20:02:25 -0600
committer: Trevor Norris <trev.norris@gmail.com> 2014-12-02 17:24:18 -0800
commit: 61204720361824881aefd64f5bccda7d7be6617a (patch)
tree: c1679aac01a66eaaf316cfd5b63e518f7ef028a7 /lib
parent: c4f6c22c2033038c3629bc5c48f0f2346d211378 (diff)
download: node-61204720361824881aefd64f5bccda7d7be6617a.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/url.js b/lib/url.js
index f5e7ec0a9..0302fda14 100644
--- a/lib/url.js
+++ b/lib/url.js
@@ -70,8 +70,9 @@ var protocolPattern = /^([a-z0-9.+-]+:)/i,
     nonHostChars = ['%', '/', '?', ';', '#'].concat(autoEscape),
     hostEndingChars = ['/', '?', '#'],
     hostnameMaxLen = 255,
-    hostnamePartPattern = /^[a-z0-9A-Z_-]{0,63}$/,
-    hostnamePartStart = /^([a-z0-9A-Z_-]{0,63})(.*)$/,
+    hostnamePatternString = '[^' + nonHostChars.join('') + ']{0,63}',
+    hostnamePartPattern = new RegExp('^' + hostnamePatternString + '$'),
+    hostnamePartStart = new RegExp('^(' + hostnamePatternString + ')(.*)$'),
     // protocols that can allow "unsafe" and "unwise" chars.
     unsafeProtocol = {
       'javascript': true,
author	Jonathan Johnson <me@jondavidjohn.com>	2014-11-26 20:02:25 -0600
committer	Trevor Norris <trev.norris@gmail.com>	2014-12-02 17:24:18 -0800
commit	61204720361824881aefd64f5bccda7d7be6617a (patch)
tree	c1679aac01a66eaaf316cfd5b63e518f7ef028a7 /lib
parent	c4f6c22c2033038c3629bc5c48f0f2346d211378 (diff)
download	node-61204720361824881aefd64f5bccda7d7be6617a.tar.gz