Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

url: disallow invalid IPv4 in IPv6 parser #12315

Closed
wants to merge 1 commit into from
Closed

url: disallow invalid IPv4 in IPv6 parser #12315

wants to merge 1 commit into from

Conversation

watilde
Copy link
Member

@watilde watilde commented Apr 10, 2017

Fixes: #10655.

Checklist
  • make -j4 test
  • tests are included
Affected core subsystem(s)

url

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. dont-land-on-v4.x whatwg-url Issues and PRs related to the WHATWG URL implementation. labels Apr 10, 2017
@watilde
Copy link
Member Author

watilde commented Apr 10, 2017
edited
Loading

ci: https://ci.nodejs.org/job/node-test-pull-request/7307/ (canceled)
ci: https://ci.nodejs.org/job/node-test-pull-request/7310/

addaleax
addaleax reviewed Apr 10, 2017
View reviewed changes
src/node_url.cc Outdated
while (ch != kEOL) {
value = 0xffffffff;
if (numbers_seen > 0) {
if (ch == '.' && 4 > numbers_seen) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe numbers_seen < 4 is a bit more intuitive than 4 > numbers_seen?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure thing. I've updated it :)

@TimothyGu TimothyGu self-requested a review April 11, 2017 03:09
bnoordhuis
bnoordhuis reviewed Apr 11, 2017
View reviewed changes
src/node_url.cc Outdated
pointer++;
ch = pointer < end ? pointer[0] : kEOL;
if (value > 255)
goto end;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you move this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I was just reading the spec from the top to the bottom. The order comes from it, but yeah it's better to not touch for the performance. I will update it :)

src/node_url.cc Outdated
ch = pointer < end ? pointer[0] : kEOL;
}
if (dots == 3 && ch != kEOL)
if (ch == kEOL && numbers_seen != 4)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is covered by the if (numbers_seen > 0) { check at the start of the loop, isn't it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it could happen if the numbers_seen is increased in the loop in the loop that the top loop can't detect: https://github.com/watilde/node/blob/521926ae2f502759c5fc752c82a2661a3dbf419e/src/node_url.cc#L179

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I see what you mean but in that case it can be moved to right after the loop, right? And the ch == kEOL clause can be dropped because that's implied by while (ch != kEOL).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh you're right! I just got what you meant of right after the loop. I will update and let's wait for the spec update at whatwg/url#292. Thanks :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The spec was updated at whatwg/url#292.

@rmisev rmisev mentioned this pull request Apr 12, 2017
Merged
@watilde
Copy link
Member Author

watilde commented Apr 14, 2017

ci: https://ci.nodejs.org/job/node-test-pull-request/7393/

@watilde
Copy link
Member Author

watilde commented Apr 14, 2017

Landed in 1b99d8f. Thanks!

@watilde watilde closed this Apr 14, 2017
@watilde watilde deleted the feature/ipv4-in-ipv6 branch April 14, 2017 17:12
watilde added a commit that referenced this pull request Apr 14, 2017
@watilde
url: disallow invalid IPv4 in IPv6 parser
1b99d8f 
Fixes: #10655
PR-URL: #12315
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
@TimothyGu TimothyGu mentioned this pull request Apr 19, 2017
Merged
4 tasks
@jasnell jasnell mentioned this pull request May 11, 2017
Closed
@baby636 baby636 mentioned this pull request Jun 22, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@addaleax addaleax addaleax left review comments

@bnoordhuis bnoordhuis bnoordhuis approved these changes

@jasnell jasnell jasnell approved these changes

@TimothyGu TimothyGu TimothyGu approved these changes

Assignees
No one assigned
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. whatwg-url Issues and PRs related to the WHATWG URL implementation.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@watilde @bnoordhuis @jasnell @addaleax @TimothyGu @nodejs-github-bot