Fix redirect error when req.url contains raw non-URL characters

dougwilson · dougwilson · commit f281443c89a1 · 2016-05-10T01:36:51.000-04:00
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Fix redirect error when `req.url` contains raw non-URL characters
   * deps: send@0.14.1
 
 1.11.0 / 2016-06-07
diff --git a/index.js b/index.js
@@ -13,6 +13,7 @@
  * @private
  */
 
+var encodeUrl = require('encodeurl')
 var escapeHtml = require('escape-html')
 var parseUrl = require('parseurl')
 var resolve = require('path').resolve
@@ -172,7 +173,7 @@ function createRedirectDirectoryListener () {
     originalUrl.pathname = collapseLeadingSlashes(originalUrl.pathname + '/')
 
     // reformat the URL
-    var loc = url.format(originalUrl)
+    var loc = encodeUrl(url.format(originalUrl))
     var msg = 'Redirecting to <a href="' + escapeHtml(loc) + '">' + escapeHtml(loc) + '</a>\n'
     var res = this.res
 
diff --git a/package.json b/package.json
@@ -6,6 +6,7 @@
   "license": "MIT",
   "repository": "expressjs/serve-static",
   "dependencies": {
+    "encodeurl": "~1.0.1",
     "escape-html": "~1.0.3",
     "parseurl": "~1.3.1",
     "send": "0.14.1"
diff --git a/test/fixtures/snow ☃/.gitkeep b/test/fixtures/snow ☃/.gitkeep
diff --git a/test/test.js b/test/test.js
@@ -435,7 +435,9 @@ describe('serveStatic()', function () {
   describe('redirect', function () {
     var server
     before(function () {
-      server = createServer(fixtures)
+      server = createServer(fixtures, null, function (req, res) {
+        req.url = req.url.replace(/\/snow(\/|$)/, '/snow \u2603$1')
+      })
     })
 
     it('should redirect directories', function (done) {
@@ -466,6 +468,14 @@ describe('serveStatic()', function () {
       .expect(301, done)
     })
 
+    it('should ensure redirect URL is properly encoded', function (done) {
+      request(server)
+      .get('/snow')
+      .expect('Location', '/snow%20%E2%98%83/')
+      .expect('Content-Type', /html/)
+      .expect(301, 'Redirecting to <a href="/snow%20%E2%98%83/">/snow%20%E2%98%83/</a>\n', done)
+    })
+
     it('should not redirect incorrectly', function (done) {
       request(server)
       .get('/')
