http_parser_parse_url quietly fails to parse very long URLs. Instead it will return invalid off and len values. There could be a security impact in this issue in situations where the parse result data would be used to make security related decisions (for example the parsed path might be different in actual URL vs the parsed one).
PR #480 is a proposed fix to this issue. Alternatively if the existing ABI must be maintained, the code should be changed to return an error if off or len overflow (become > UINT16_MAX).
http_parser_parse_url quietly fails to parse very long URLs. Instead it will return invalid
offandlenvalues. There could be a security impact in this issue in situations where the parse result data would be used to make security related decisions (for example the parsed path might be different in actual URL vs the parsed one).PR #480 is a proposed fix to this issue. Alternatively if the existing ABI must be maintained, the code should be changed to return an error if
offorlenoverflow (become >UINT16_MAX).