Ensure that binary characters are escaped correctly in the location h…

…eader
follow-redirects · Feb 21, 2024 · 5a6e8c4 · 5a6e8c4
1 parent b1677ce
commit 5a6e8c4
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/index.js b/index.js
@@ -567,6 +567,8 @@ function parseUrl(input) {
 }
 
 function resolveUrl(relative, base) {
+  // Ensure that any non-ascii characters are escaped correctly as a valid URI
+  relative = encodeURI(Buffer.from(relative, 'binary').toString('utf8'))
   /* istanbul ignore next */
   return useNativeURL ? new URL(relative, base) : parseUrl(url.resolve(base, relative));
 }

diff --git a/test/test.js b/test/test.js
@@ -394,6 +394,26 @@ describe("follow-redirects", function () {
       });
   });
 
+  it("should escape utf-8 characters in the url correctly", function () {
+    app.get("/a", redirectsTo("/b"));
+    app.get("/b", (_, res) => {
+      res.statusCode = 302;
+      res.set('Location', "http://localhost:3600/Â¢");
+      res.end();
+    });
+    app.get("/%C2%A2", redirectsTo("/d"));
+    app.get("/d", sendsJson({ a: "b" }));
+
+    return server.start(app)
+      .then(asPromise(function (resolve, reject) {
+        http.get("http://localhost:3600/a", concatJson(resolve, reject)).on("error", reject);
+      }))
+      .then(function (res) {
+        assert.deepEqual(res.parsedJson, { a: "b" });
+        assert.deepEqual(res.responseUrl, "http://localhost:3600/d");
+      });
+  });
+
   it("should return with the original status code if the response does not contain a location header", function () {
     app.get("/a", function (req, res) {
       res.status(307).end();