From 6279fc601a3fd1db969a98feb23c1cb661f68bea Mon Sep 17 00:00:00 2001
From: Tim van der Meij <timvandermeij@gmail.com>
Date: Sun, 13 Jan 2019 14:50:27 +0100
Subject: [PATCH] Handle malformed URIs as bad requests in the development
 webserver

Fixes #10445 (found by Dhiraj Mishra).
---
 test/webserver.js | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/test/webserver.js b/test/webserver.js
index 37de91dea..d8cd3055b 100644
--- a/test/webserver.js
+++ b/test/webserver.js
@@ -80,10 +80,19 @@ WebServer.prototype = {
   _handler: function (req, res) {
     var url = req.url.replace(/\/\//g, '/');
     var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url);
-    // guard against directory traversal attacks,
-    // e.g. /../../../../../../../etc/passwd
-    // which let you make GET requests for files outside of this.root
-    var pathPart = path.normalize(decodeURI(urlParts[1]));
+    try {
+      // Guard against directory traversal attacks such as
+      // `/../../../../../../../etc/passwd`, which let you make GET requests
+      // for files outside of `this.root`.
+      var pathPart = path.normalize(decodeURI(urlParts[1]));
+    } catch (ex) {
+      // If the URI cannot be decoded, a `URIError` is thrown. This happens for
+      // malformed URIs such as `http://localhost:8888/%s%s` and should be
+      // handled as a bad request.
+      res.writeHead(400);
+      res.end('Bad request', 'utf8');
+      return;
+    }
     var queryPart = urlParts[3];
     var verbose = this.verbose;