From 564c9e76c97b8141c3349041704a07f3e11b716e Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 24 Nov 2022 12:53:41 +0100 Subject: [PATCH] doc: deprecate use of invalid ports in `url.parse` PR-URL: https://github.com/nodejs/node/pull/45576 Refs: https://github.com/nodejs/node/pull/45526 Co-authored-by: Rich Trott Reviewed-By: Benjamin Gruenbaum Reviewed-By: Yagiz Nizipli Reviewed-By: Rich Trott Reviewed-By: Matteo Collina --- doc/api/deprecations.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index f846fa80beefc3..735089f5d903f0 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3283,6 +3283,22 @@ Type: Documentation-only have security implications. Use the [WHATWG URL API][] instead. CVEs are not issued for `url.parse()` vulnerabilities. +### DEP0170: Invalid port when using `url.parse()` + + + +Type: Documentation-only + +[`url.parse()`][] accepts URLs with ports that are not numbers. This behavior +might result in host name spoofing with unexpected input. These URLs will throw +an error in future versions of Node.js, as the [WHATWG URL API][] does already. + [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3 [RFC 8247 Section 2.4]: https://www.rfc-editor.org/rfc/rfc8247#section-2.4