-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MIME type overmatch in data URLs #48957
Comments
Good catch. FYI if you paste a "Permalink URL", it will show the line(s) of code: node/lib/internal/modules/esm/formats.js Line 29 in fe514bf
Would you like to send a PR to fix this? |
No thanks, I won't be able to get to this. |
@aduh95 i will be happy to help with this bug |
I would be glad helping with this, too. Feel free to reach me if you want to. |
I started working on it, but I'm figuring out that the MIME type may be wrong overall. The current regexp also allow As https://datatracker.ietf.org/doc/html/rfc9239 stands that |
As the previous PR got closed and it seems that nobody is currently working on this issue I would like to submit a PR :) Edit: The change is pretty simple, I'm now creating a test case. |
This commit adds the delimiters ^ and $ to the regex that matches the data MIME types. Fixes: nodejs#48957
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for "data:URLs". Fixes: nodejs#48957
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for "data:URLs". Fixes: nodejs#48957
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for "data:URLs". Fixes: nodejs#48957
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for "data:URLs". Fixes: nodejs#48957
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for `data:` URLs. PR-URL: #49104 Fixes: #48957 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for `data:` URLs. PR-URL: nodejs#49104 Fixes: nodejs#48957 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for `data:` URLs. PR-URL: #49104 Fixes: #48957 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for `data:` URLs. PR-URL: nodejs#49104 Fixes: nodejs#48957 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for `data:` URLs. PR-URL: nodejs#49104 Fixes: nodejs#48957 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for `data:` URLs. PR-URL: #49104 Fixes: #48957 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for `data:` URLs. PR-URL: #49104 Fixes: #48957 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for `data:` URLs. PR-URL: #49104 Fixes: #48957 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for `data:` URLs. PR-URL: nodejs/node#49104 Fixes: nodejs/node#48957 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
This commit adds the delimiters ^ and $ to the regex that matches the MIME types for `data:` URLs. PR-URL: nodejs/node#49104 Fixes: nodejs/node#48957 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
Version
v20.5.0
Platform
Linux host 5.19.0-45-generic #46-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 7 09:08:58 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Subsystem
modules
What steps will reproduce the bug?
Execute this command.
node --input-type=module --eval 'import "data:ONCEUPONAtext/javascriptTHEREWASASNEAKYMODULE,console.log(\"EVALUATED\")"'
The incorrectly typed inline module is evaluated. The string is logged to the console.
How often does it reproduce? Is there a required condition?
Consistently.
What is the expected behavior? Why is that the expected behavior?
An incorrect MIME type is forbidden.
What do you see instead?
The module is evaluated.
Additional information
formats.js
has a regex matching the MIME type./\s*(text|application)\/javascript\s*(;\s*charset=utf-?8\s*)?/i
This will match any MIME type that contains
(text|application)/javascript
anywhere. It maybe needs start and end anchors.The text was updated successfully, but these errors were encountered: