Version in base suite: 1.5.3-1

Base version: node-url-parse_1.5.3-1
Target version: node-url-parse_1.5.3-1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-url-parse/node-url-parse_1.5.3-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-url-parse/node-url-parse_1.5.3-1+deb11u1.dsc

 changelog                   |   10 ++++
 patches/CVE-2022-0686.patch |   92 ++++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2022-0691.patch |   39 ++++++++++++++++++
 patches/series              |    2 
 4 files changed, 143 insertions(+)

diff -Nru node-url-parse-1.5.3/debian/changelog node-url-parse-1.5.3/debian/changelog
--- node-url-parse-1.5.3/debian/changelog	2021-07-31 11:13:02.000000000 +0000
+++ node-url-parse-1.5.3/debian/changelog	2022-04-11 14:15:12.000000000 +0000
@@ -1,3 +1,13 @@
+node-url-parse (1.5.3-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Handle the case where the port is specified but empty
+    (Closes: CVE-2022-0686)
+  * Strip all control characters from the beginning of the URL
+    (Closes: CVE-2022-0691)
+
+ -- Yadd <yadd@debian.org>  Mon, 11 Apr 2022 16:15:12 +0200
+
 node-url-parse (1.5.3-1) unstable; urgency=medium
 
   * Team upload
diff -Nru node-url-parse-1.5.3/debian/patches/CVE-2022-0686.patch node-url-parse-1.5.3/debian/patches/CVE-2022-0686.patch
--- node-url-parse-1.5.3/debian/patches/CVE-2022-0686.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-url-parse-1.5.3/debian/patches/CVE-2022-0686.patch	2022-04-11 14:15:12.000000000 +0000
@@ -0,0 +1,92 @@
+Description: Handle the case where the port is specified but empty
+Author: Luigi Pinca <luigipinca@gmail.com>
+Origin: upstream, https://github.com/unshiftio/url-parse/commit/d5c64791
+Bug: https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-03-23
+
+--- a/index.js
++++ b/index.js
+@@ -3,6 +3,7 @@
+ var required = require('requires-port')
+   , qs = require('querystringify')
+   , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//
++  , port = /:\d+$/
+   , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\\/]+)?([\S\s]*)/i
+   , windowsDriveLetter = /^[a-zA-Z]:/
+   , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
+@@ -39,7 +40,7 @@
+   ['/', 'pathname'],                    // Extract from the back.
+   ['@', 'auth', 1],                     // Extract from the front.
+   [NaN, 'host', undefined, 1, 1],       // Set left over value.
+-  [/:(\d+)$/, 'port', undefined, 1],    // RegExp the back.
++  [/:(\d*)$/, 'port', undefined, 1],    // RegExp the back.
+   [NaN, 'hostname', undefined, 1, 1]    // Set left over.
+ ];
+ 
+@@ -433,7 +434,7 @@
+     case 'host':
+       url[part] = value;
+ 
+-      if (/:\d+$/.test(value)) {
++      if (port.test(value)) {
+         value = value.split(':');
+         url.port = value.pop();
+         url.hostname = value.join(':');
+@@ -490,6 +491,7 @@
+ 
+   var query
+     , url = this
++    , host = url.host
+     , protocol = url.protocol;
+ 
+   if (protocol && protocol.charAt(protocol.length - 1) !== ':') protocol += ':';
+@@ -502,7 +504,15 @@
+     result += '@';
+   }
+ 
+-  result += url.host + url.pathname;
++  //
++  // Trailing colon is removed from `url.host` when it is parsed. If it still
++  // ends with a colon, then add back the trailing colon that was removed. This
++  // prevents an invalid URL from being transformed into a valid one.
++  //
++  if (host[host.length - 1] === ':' || (port.test(url.hostname) && !url.port)) {
++    host += ':';
++  }
++  result += host + url.pathname;
+ 
+   query = 'object' === typeof url.query ? stringify(url.query) : url.query;
+   if (query) result += '?' !== query.charAt(0) ? '?'+ query : query;
+--- a/test/test.js
++++ b/test/test.js
+@@ -401,6 +401,28 @@
+     assume(parsed.slashes).is.true();
+   });
+ 
++  it('handles the case where the port is specified but empty', function () {
++    var parsed = parse('http://example.com:');
++
++    assume(parsed.protocol).equals('http:');
++    assume(parsed.port).equals('');
++    assume(parsed.host).equals('example.com');
++    assume(parsed.hostname).equals('example.com');
++    assume(parsed.pathname).equals('/');
++    assume(parsed.origin).equals('http://example.com');
++    assume(parsed.href).equals('http://example.com/');
++
++    parsed = parse('http://example.com::');
++
++    assume(parsed.protocol).equals('http:');
++    assume(parsed.port).equals('');
++    assume(parsed.host).equals('example.com:');
++    assume(parsed.hostname).equals('example.com:');
++    assume(parsed.pathname).equals('/');
++    assume(parsed.origin).equals('http://example.com:');
++    assume(parsed.href).equals('http://example.com::/');
++  });
++
+   describe('origin', function () {
+     it('generates an origin property', function () {
+       var url = 'http://google.com:80/pathname'
diff -Nru node-url-parse-1.5.3/debian/patches/CVE-2022-0691.patch node-url-parse-1.5.3/debian/patches/CVE-2022-0691.patch
--- node-url-parse-1.5.3/debian/patches/CVE-2022-0691.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-url-parse-1.5.3/debian/patches/CVE-2022-0691.patch	2022-04-11 14:15:12.000000000 +0000
@@ -0,0 +1,39 @@
+Description: Strip all control characters from the beginning of the URL
+Author: Luigi Pinca <luigipinca@gmail.com>
+Origin: upstream, https://github.com/unshiftio/url-parse/commit/0e3fb542
+Bug: https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-04-11
+
+--- a/index.js
++++ b/index.js
+@@ -6,7 +6,8 @@
+   , port = /:\d+$/
+   , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\\/]+)?([\S\s]*)/i
+   , windowsDriveLetter = /^[a-zA-Z]:/
+-  , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
++  //                  \t  \n    \v  \f   \r
++  , whitespace = '[\\x00-\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
+   , left = new RegExp('^'+ whitespace +'+');
+ 
+ /**
+--- a/test/test.js
++++ b/test/test.js
+@@ -47,8 +47,14 @@
+       assume(parse.trimLeft).is.a('function');
+     });
+ 
+-    it('removes whitespace on the left', function () {
+-      assume(parse.trimLeft('  lol')).equals('lol');
++    it('removes control characters on the left', function () {
++      var i = 0;
++      var prefix = ''
++
++      for (; i < 33; i++) {
++        prefix = String.fromCharCode(i);
++        assume(parse.trimLeft(prefix + prefix +'lol')).equals('lol');
++      }
+     });
+ 
+     it('calls toString on a given value', function () {
diff -Nru node-url-parse-1.5.3/debian/patches/series node-url-parse-1.5.3/debian/patches/series
--- node-url-parse-1.5.3/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ node-url-parse-1.5.3/debian/patches/series	2022-04-11 14:15:12.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2022-0686.patch
+CVE-2022-0691.patch