From a0c64c55dbc101f1819b18ab18e50152ae371fa1 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 22 Nov 2022 12:34:21 +0100 Subject: [PATCH 1/2] doc: deprecate use of invalid ports in `url.parse` Refs: https://github.com/nodejs/node/pull/45526 Co-authored-by: Rich Trott --- doc/api/deprecations.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index c4c089487c3dc5..a8aa207349083d 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3295,6 +3295,22 @@ Type: Documentation-only have security implications. Use the [WHATWG URL API][] instead. CVEs are not issued for `url.parse()` vulnerabilities. +### DEP0170: Invalid port when using `url.parse()` + + + +Type: Documentation-only + +[`url.parse()`][] accepts URLs with ports that are not numbers. This behavior +might result in host name spoofing with unexpected input. These URLs will throw +an error in future versions of Node.js, as the [WHATWG URL API][] does already. + [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3 [RFC 8247 Section 2.4]: https://www.rfc-editor.org/rfc/rfc8247#section-2.4 From f74325d562e135062a637425fe5619a9a5dbf47a Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 22 Nov 2022 12:36:42 +0100 Subject: [PATCH 2/2] fixup! doc: deprecate use of invalid ports in `url.parse` --- doc/api/deprecations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index a8aa207349083d..cb6a187043eb86 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3301,7 +3301,7 @@ issued for `url.parse()` vulnerabilities. changes: - version: - REPLACEME - pr-url: https://github.com/nodejs/node/pull/45526 + pr-url: https://github.com/nodejs/node/pull/45576 description: Documentation-only deprecation. -->