Version in base suite: 1.5.3-1+deb11u1

Base version: node-url-parse_1.5.3-1+deb11u1
Target version: node-url-parse_1.5.3-1+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-url-parse/node-url-parse_1.5.3-1+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-url-parse/node-url-parse_1.5.3-1+deb11u2.dsc

 changelog                   |    7 ++
 patches/CVE-2022-0512.patch |  135 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 143 insertions(+)

diff -Nru node-url-parse-1.5.3/debian/changelog node-url-parse-1.5.3/debian/changelog
--- node-url-parse-1.5.3/debian/changelog	2022-04-11 14:15:12.000000000 +0000
+++ node-url-parse-1.5.3/debian/changelog	2023-05-31 10:43:23.000000000 +0000
@@ -1,3 +1,10 @@
+node-url-parse (1.5.3-1+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Correctly handle userinfo containing the at sign (Closes: CVE-2022-0512)
+
+ -- Yadd <yadd@debian.org>  Wed, 31 May 2023 14:43:23 +0400
+
 node-url-parse (1.5.3-1+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff -Nru node-url-parse-1.5.3/debian/patches/CVE-2022-0512.patch node-url-parse-1.5.3/debian/patches/CVE-2022-0512.patch
--- node-url-parse-1.5.3/debian/patches/CVE-2022-0512.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-url-parse-1.5.3/debian/patches/CVE-2022-0512.patch	2023-05-31 10:43:23.000000000 +0000
@@ -0,0 +1,135 @@
+Description: Correctly handle userinfo containing the at sign
+Author: Luigi Pinca <luigipinca@gmail.com>
+Origin: upstream, https://github.com/unshiftio/url-parse/commit/9be7ee88
+Bug: https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b
+Forwarded: not-needed
+Applied-Upstream: 1.5.6, commit:9be7ee88
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-05-31
+
+--- a/index.js
++++ b/index.js
+@@ -306,7 +306,11 @@
+     if (parse !== parse) {
+       url[key] = address;
+     } else if ('string' === typeof parse) {
+-      if (~(index = address.indexOf(parse))) {
++      index = parse === '@'
++        ? address.lastIndexOf(parse)
++        : address.indexOf(parse);
++
++      if (~index) {
+         if ('number' === typeof instruction[2]) {
+           url[key] = address.slice(0, index);
+           address = address.slice(index + instruction[2]);
+@@ -373,9 +377,19 @@
+   //
+   url.username = url.password = '';
+   if (url.auth) {
+-    instruction = url.auth.split(':');
+-    url.username = instruction[0] || '';
+-    url.password = instruction[1] || '';
++    index = url.auth.indexOf(':');
++
++    if (~index) {
++      url.username = url.auth.slice(0, index);
++      url.username = encodeURIComponent(decodeURIComponent(url.username));
++
++      url.password = url.auth.slice(index + 1);
++      url.password = encodeURIComponent(decodeURIComponent(url.password))
++    } else {
++      url.username = encodeURIComponent(decodeURIComponent(url.auth));
++    }
++
++    url.auth = url.password ? url.username +':'+ url.password : url.username;
+   }
+ 
+   url.origin = url.protocol !== 'file:' && isSpecial(url.protocol) && url.host
+--- a/test/test.js
++++ b/test/test.js
+@@ -712,6 +712,54 @@
+     });
+   });
+ 
++      it('handles @ in username', function () {
++      var url = 'http://user@@www.example.com/'
++        , parsed = parse(url);
++
++      assume(parsed.protocol).equals('http:');
++      assume(parsed.auth).equals('user%40');
++      assume(parsed.username).equals('user%40');
++      assume(parsed.password).equals('');
++      assume(parsed.hostname).equals('www.example.com');
++      assume(parsed.pathname).equals('/');
++      assume(parsed.href).equals('http://user%40@www.example.com/');
++
++      url = 'http://user%40@www.example.com/';
++      parsed = parse(url);
++
++      assume(parsed.protocol).equals('http:');
++      assume(parsed.auth).equals('user%40');
++      assume(parsed.username).equals('user%40');
++      assume(parsed.password).equals('');
++      assume(parsed.hostname).equals('www.example.com');
++      assume(parsed.pathname).equals('/');
++      assume(parsed.href).equals('http://user%40@www.example.com/');
++    });
++
++    it('handles @ in password', function () {
++      var url = 'http://user@:pas:s@@www.example.com/'
++        , parsed = parse(url);
++
++      assume(parsed.protocol).equals('http:');
++      assume(parsed.auth).equals('user%40:pas%3As%40');
++      assume(parsed.username).equals('user%40');
++      assume(parsed.password).equals('pas%3As%40');
++      assume(parsed.hostname).equals('www.example.com');
++      assume(parsed.pathname).equals('/');
++      assume(parsed.href).equals('http://user%40:pas%3As%40@www.example.com/');
++
++      url = 'http://user%40:pas%3As%40@www.example.com/'
++      parsed = parse(url);
++
++      assume(parsed.protocol).equals('http:');
++      assume(parsed.auth).equals('user%40:pas%3As%40');
++      assume(parsed.username).equals('user%40');
++      assume(parsed.password).equals('pas%3As%40');
++      assume(parsed.hostname).equals('www.example.com');
++      assume(parsed.pathname).equals('/');
++      assume(parsed.href).equals('http://user%40:pas%3As%40@www.example.com/');
++    });
++
+   it('accepts multiple ???', function () {
+     var url = 'http://mt0.google.com/vt/lyrs=m@114???&hl=en&src=api&x=2&y=2&z=3&s=';
+     assume(parse(url).query).equals('???&hl=en&src=api&x=2&y=2&z=3&s=');
+@@ -1078,6 +1126,30 @@
+ 
+       assume(data.username).equals('foo');
+       assume(data.href).equals('https://foo@google.com/?foo=bar');
++
++      data = parse('https://user@:pass@@example.com/');
++      assume(data.set('auth', 'user@:pass@')).equals(data);
++      assume(data.username).equals('user%40');
++      assume(data.password).equals('pass%40');
++      assume(data.href).equals('https://user%40:pass%40@example.com/');
++
++      data = parse('https://user%40:pass%40@example.com/');
++      assume(data.set('auth', 'user%40:pass%40')).equals(data);
++      assume(data.username).equals('user%40');
++      assume(data.password).equals('pass%40');
++      assume(data.href).equals('https://user%40:pass%40@example.com/');
++
++      data = parse('https://user:pass:word@example.com/');
++      assume(data.set('auth', 'user:pass:word')).equals(data);
++      assume(data.username).equals('user');
++      assume(data.password).equals('pass%3Aword');
++      assume(data.href).equals('https://user:pass%3Aword@example.com/');
++
++      data = parse('https://user:pass%3Aword@example.com/');
++      assume(data.set('auth', 'user:pass%3Aword')).equals(data);
++      assume(data.username).equals('user');
++      assume(data.password).equals('pass%3Aword');
++      assume(data.href).equals('https://user:pass%3Aword@example.com/');
+     });
+ 
+     it('lowercases the required values', function () {
diff -Nru node-url-parse-1.5.3/debian/patches/series node-url-parse-1.5.3/debian/patches/series
--- node-url-parse-1.5.3/debian/patches/series	2022-04-11 14:15:12.000000000 +0000
+++ node-url-parse-1.5.3/debian/patches/series	2023-05-31 10:43:23.000000000 +0000
@@ -1,2 +1,3 @@
 CVE-2022-0686.patch
 CVE-2022-0691.patch
+CVE-2022-0512.patch