From 02a0c74861c3107e6a9a1752e91540f8d4c49a76 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Wed, 20 Nov 2019 11:48:58 -0800 Subject: [PATCH] http: llhttp opt-in insecure HTTP header parsing Allow insecure HTTP header parsing. Make clear it is insecure. See: - https://github.com/nodejs/node/pull/30553 - https://github.com/nodejs/node/issues/27711#issuecomment-556265881 - https://github.com/nodejs/node/issues/30515 PR-URL: https://github.com/nodejs/node/pull/30567 Reviewed-By: Fedor Indutny Reviewed-By: Anna Henningsen Reviewed-By: Denys Otrishko Reviewed-By: James M Snell --- doc/api/cli.md | 11 +++++++++++ doc/node.1 | 6 ++++++ lib/_http_client.js | 4 +++- lib/_http_common.js | 13 +++++++++++++ lib/_http_server.js | 4 +++- src/node_http_parser.cc | 7 +++++-- src/node_options.cc | 4 ++++ src/node_options.h | 2 ++ 8 files changed, 47 insertions(+), 4 deletions(-) diff --git a/doc/api/cli.md b/doc/api/cli.md index d4b4da5249a16b..171f6b8ad29780 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -419,6 +419,16 @@ added: v9.0.0 Specify the `module` of a custom [experimental ECMAScript Module loader][]. `module` may be either a path to a file, or an ECMAScript Module name. +### `--insecure-http-parser` + + +Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow +interoperability with non-conformant HTTP implementations. It may also allow +request smuggling and other HTTP attacks that rely on invalid headers being +accepted. Avoid using this option. + ### `--max-http-header-size=size`