[19.2.x] Cherry-pick security and bug fixes#68939
Merged
Merged
Conversation
angular-robot
Bot
added
area: common/http
angular-robot
Bot
added
the
area: service-worker
alan-agius4
added
target: lts
alan-agius4
force-pushed
the
cherry-pick-to-19.2.x
branch
from
3762052 to
7dab3e3
Compare
angular-robot
Bot
added
the
area: service-worker
JeanMeche
approved these changes
May 27, 2026
alan-agius4
force-pushed
the
cherry-pick-to-19.2.x
branch
from
64ead5b to
d31f841
Compare
alan-agius4
added
action: merge
alan-agius4
force-pushed
the
cherry-pick-to-19.2.x
branch
4 times, most recently
from
32426f1 to
16ac73d
Compare
alan-agius4
force-pushed
the
cherry-pick-to-19.2.x
branch
from
16ac73d to
d31f841
Compare
This reverts commit 4747fe2.
alan-agius4
force-pushed
the
cherry-pick-to-19.2.x
branch
2 times, most recently
from
bdf155a to
aecaa96
Compare
…g tag check This ensures that when rootElement is undefined no error occures.
alan-agius4
force-pushed
the
cherry-pick-to-19.2.x
branch
from
6061c09 to
74c4a8b
Compare
alan-agius4
force-pushed
the
cherry-pick-to-19.2.x
branch
from
74c4a8b to
2413202
Compare
…inst SSRF and path hijack Normalizes the URL and path parsing logic inside platform-server by consolidating security checks and normalizations into a single, unified parseUrl helper function. This includes: - Collapsing multiple consecutive leading slashes and backslashes (e.g., // or /\) to a single forward slash to avoid protocol-relative parsing of path-like & relative inputs. - Rejecting malformed absolute URLs that are otherwise accepted by lenient DOM parsers like Domino but rejected by standard WHATWG parsers, preventing SSRF / allowedHosts validation bypasses. - Ensuring parseDocument gets the fully parsed and normalized URL instead of raw, unvalidated configuration values, preventing virtual document hostname adoption/origin hijack. - Moving parseUrl unit tests into a dedicated url_spec.ts test file to keep platform_location_spec.ts clean and decoupled.
alan-agius4
added
the
merge: caretaker note
Contributor
Author
|
caretaker note kindly ignore the pending mergeability tests. |
Member
|
This PR was merged into the repository. The changes were merged into the following branches:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR backports a batch of security and critical bug & security fixes to the
19.2.xbranch:All golden symbols files have been regenerated and verified, and all conflicts have been resolved cleanly to align with the core architectures of the
19.2.xbranch.