Merge tag '4.19.1' into 5.x

4.19.1
2026-02-21 19:41:36 +00:00 · 2024-03-20 21:17:26 -05:00
parent e9f9aaeebd 4f0f6cc67d
commit 60fb1d2acd
3 changed files with 25 additions and 5 deletions
--- a/History.md
+++ b/History.md
@@ -1,7 +1,7 @@
 5.x
 ===

-This incorporates all changes after 4.17.2 up to 4.17.3.
+This incorporates all changes after 4.17.2 up to 4.19.1.

 5.0.0-beta.1 / 2022-02-14
 =========================
@@ -162,7 +162,12 @@ This is the first Express 5.0 alpha release, based off 4.10.1.
  * add:
    - `app.router` is a reference to the base router

-4.18.3 / 2024-03-20
+4.19.1 / 2024-03-20
+==========
+
+  * Allow passing non-strings to res.location with new encoding handling checks
+
+4.19.0 / 2024-03-20
 ==========

  * Prevent open redirect allow list bypass due to encodeurl
--- a/lib/response.js
+++ b/lib/response.js
@@ -773,7 +773,7 @@ res.cookie = function (name, value, options) {
 */

 res.location = function location(url) {
-  var loc = url;
+  var loc = String(url);

  // "back" is an alias for the referrer
  if (url === 'back') {
--- a/test/res.location.js
+++ b/test/res.location.js
@@ -58,7 +58,7 @@ describe('res', function(){
      });

      request(app)
-        .get('/?q=http://google.com\\@apple.com')
+        .get('/?q=http://google.com' + encodeURIComponent('\\@apple.com'))
        .expect(200)
        .expect('Location', 'http://google.com\\@apple.com')
        .end(function (err) {
@@ -68,7 +68,7 @@ describe('res', function(){

          // This ensures that our protocol check is case insensitive
          request(app)
-            .get('/?q=HTTP://google.com\\@apple.com')
+            .get('/?q=HTTP://google.com' + encodeURIComponent('\\@apple.com'))
            .expect(200)
            .expect('Location', 'HTTP://google.com\\@apple.com')
            .end(done)
@@ -145,5 +145,20 @@ describe('res', function(){
        .expect(200, done)
      })
    })
+
+    if (typeof URL !== 'undefined') {
+      it('should accept an instance of URL', function (done) {
+        var app = express();
+
+        app.use(function(req, res){
+          res.location(new URL('http://google.com/')).end();
+        });
+
+        request(app)
+          .get('/')
+          .expect('Location', 'http://google.com/')
+          .expect(200, done);
+      });
+    }
  })
 })