From 9be51ee9a1ea8f9cc578abc1b9e70b220f7488ac Mon Sep 17 00:00:00 2001
From: Yash Ladha <yashladhapankajladha123@gmail.com>
Date: Sat, 9 May 2020 21:47:52 +0530
Subject: [PATCH] url: forbid lt and gt in url host code point

As per the recent changes in whatwg/url spec. lt and gt are also added
in the list of forbidden hostCodePoint list.

PR-URL: https://github.com/nodejs/node/pull/33328
Refs: https://github.com/whatwg/url/pull/459
Refs: https://github.com/nodejs/node/issues/33315
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
---
 src/node_url.cc                               |  3 +-
 .../wpt/url/resources/urltestdata.json        | 77 +++++++++++++++----
 2 files changed, 64 insertions(+), 16 deletions(-)

diff --git a/src/node_url.cc b/src/node_url.cc
index 27e89e8d9b7652..8751588d8bf309 100644
--- a/src/node_url.cc
+++ b/src/node_url.cc
@@ -206,7 +206,8 @@ CHAR_TEST(8, IsForbiddenHostCodePoint,
           ch == '\0' || ch == '\t' || ch == '\n' || ch == '\r' ||
           ch == ' ' || ch == '#' || ch == '%' || ch == '/' ||
           ch == ':' || ch == '?' || ch == '@' || ch == '[' ||
-          ch == '\\' || ch == ']')
+          ch == '<' || ch == '>' || ch == '\\' || ch == ']' ||
+          ch == '^')
 
 // https://url.spec.whatwg.org/#windows-drive-letter
 TWO_CHAR_STRING_TEST(8, IsWindowsDriveLetter,
diff --git a/test/fixtures/wpt/url/resources/urltestdata.json b/test/fixtures/wpt/url/resources/urltestdata.json
index bf4e2a7833d17f..58501e215318df 100644
--- a/test/fixtures/wpt/url/resources/urltestdata.json
+++ b/test/fixtures/wpt/url/resources/urltestdata.json
@@ -4481,21 +4481,6 @@
     "search": "",
     "hash": ""
   },
-  {
-    "input": "sc://\u001F!\"$&'()*+,-.;<=>^_`{|}~/",
-    "base": "about:blank",
-    "href": "sc://%1F!\"$&'()*+,-.;<=>^_`{|}~/",
-    "origin": "null",
-    "protocol": "sc:",
-    "username": "",
-    "password": "",
-    "host": "%1F!\"$&'()*+,-.;<=>^_`{|}~",
-    "hostname": "%1F!\"$&'()*+,-.;<=>^_`{|}~",
-    "port": "",
-    "pathname": "/",
-    "search": "",
-    "hash": ""
-  },
   {
     "input": "sc://\u0000/",
     "base": "about:blank",
@@ -4649,6 +4634,68 @@
     "search": "",
     "hash": ""
   },
+  "Forbidden host code points",
+  {
+    "input": "http://a<b",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "http://a>b",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "http://a^b",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "non-special://a<b",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "non-special://a>b",
+    "base": "about:blank",
+    "failure": true
+  },
+  {
+    "input": "non-special://a^b",
+    "base": "about:blank",
+    "failure": true
+  },
+  "Allowed host code points",
+  {
+    "input": "http://\u001F!\"$&'()*+,-.;=_`{|}~/",
+    "base": "about:blank",
+    "href": "http://\u001F!\"$&'()*+,-.;=_`{|}~/",
+    "origin": "http://\u001F!\"$&'()*+,-.;=_`{|}~",
+    "protocol": "http:",
+    "username": "",
+    "password": "",
+    "host": "\u001F!\"$&'()*+,-.;=_`{|}~",
+    "hostname": "\u001F!\"$&'()*+,-.;=_`{|}~",
+    "port": "",
+    "pathname": "/",
+    "search": "",
+    "hash": ""
+  },
+  {
+    "input": "sc://\u001F!\"$&'()*+,-.;=_`{|}~/",
+    "base": "about:blank",
+    "href": "sc://%1F!\"$&'()*+,-.;=_`{|}~/",
+    "origin": "null",
+    "protocol": "sc:",
+    "username": "",
+    "password": "",
+    "host": "%1F!\"$&'()*+,-.;=_`{|}~",
+    "hostname": "%1F!\"$&'()*+,-.;=_`{|}~",
+    "port": "",
+    "pathname": "/",
+    "search": "",
+    "hash": ""
+  },
   "# Hosts and percent-encoding",
   {
     "input": "ftp://example.com%80/",