Skip to content

Commit

Permalink
[dist] 1.5.2
Browse files Browse the repository at this point in the history
  • Loading branch information
3rd-Eden committed Jul 25, 2021
1 parent 2d9ac2c commit 201034b
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
15 changes: 15 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,19 @@ acknowledge your responsible disclosure, if you wish.

## History

> url-parse mishandles certain use a single of (back) slash such as https:\ &
> https:/ and > interprets the URI as a relative path. Browsers accept a single
> backslash after the protocol, and treat it as a normal slash, while url-parse
> sees it as a relative path.
- **Reporter credits**
- Ready-Research
- GitHub: [@Ready-Reserach](https://github.com/ready-research)
- Huntr report: https://www.huntr.dev/bounties/1625557993985-unshiftio/url-parse/
- Fixed in: 1.5.2

---

> Using backslash in the protocol is valid in the browser, while url-parse
> thinks it’s a relative path. An application that validates a url using
> url-parse might pass a malicious link.
Expand All @@ -42,6 +55,8 @@ acknowledge your responsible disclosure, if you wish.
- Twitter: [Yaniv Nizry](https://twitter.com/ynizry)
- Fixed in: 1.5.0

---

> The `extractProtocol` method does not return the correct protocol when
> provided with unsanitized content which could lead to false positives.
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "url-parse",
"version": "1.5.1",
"version": "1.5.2",
"description": "Small footprint URL parser that works seamlessly across Node.js and browser environments",
"main": "index.js",
"scripts": {
Expand Down

0 comments on commit 201034b

Please sign in to comment.