From b89f4d5c170619f533b859c63ebe7bcddbe51c31 Mon Sep 17 00:00:00 2001
From: Rich Trott <rtrott@gmail.com>
Date: Mon, 7 Mar 2022 21:00:06 -0800
Subject: [PATCH] url: trim leading and trailing C0 control chars

Emulate the WHATWHG URL parse behavior of trimming leading and trailing
C0 control characters. This moves url.parse() slightly closer to
WHATWHG URL behavior. The current behavior is possibly insecure for some
uses. (The url.parse() API is marked as Legacy and the documentation
specifically says it has known bugs and insecure behaviors. Still this
change makes a lot of sense.)

This issue was reported by P0cas. https://github.com/P0cas

PR-URL: https://github.com/nodejs/node/pull/42196
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Mestery <mestery@protonmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
---
 lib/url.js                             |  7 +------
 test/parallel/test-url-parse-format.js | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/lib/url.js b/lib/url.js
index 745c7c9930deda..8280ddf056c967 100644
--- a/lib/url.js
+++ b/lib/url.js
@@ -117,7 +117,6 @@ const {
   CHAR_TAB,
   CHAR_CARRIAGE_RETURN,
   CHAR_LINE_FEED,
-  CHAR_FORM_FEED,
   CHAR_NO_BREAK_SPACE,
   CHAR_ZERO_WIDTH_NOBREAK_SPACE,
   CHAR_HASH,
@@ -196,11 +195,7 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
     const code = url.charCodeAt(i);
 
     // Find first and last non-whitespace characters for trimming
-    const isWs = code === CHAR_SPACE ||
-                 code === CHAR_TAB ||
-                 code === CHAR_CARRIAGE_RETURN ||
-                 code === CHAR_LINE_FEED ||
-                 code === CHAR_FORM_FEED ||
+    const isWs = code < 33 ||
                  code === CHAR_NO_BREAK_SPACE ||
                  code === CHAR_ZERO_WIDTH_NOBREAK_SPACE;
     if (start === -1) {
diff --git a/test/parallel/test-url-parse-format.js b/test/parallel/test-url-parse-format.js
index e1cf80a2778abd..99a6ace23a2fb3 100644
--- a/test/parallel/test-url-parse-format.js
+++ b/test/parallel/test-url-parse-format.js
@@ -977,6 +977,21 @@ const parseTests = {
     path: '/everybody',
     href: '//fhqwhgads@example.com/everybody#to-the-limit'
   },
+
+  '\bhttp://example.com/\b': {
+    protocol: 'http:',
+    slashes: true,
+    auth: null,
+    host: 'example.com',
+    port: null,
+    hostname: 'example.com',
+    hash: null,
+    search: null,
+    query: null,
+    pathname: '/',
+    path: '/',
+    href: 'http://example.com/'
+  }
 };
 
 for (const u in parseTests) {