Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update http parser 2.9.1 v10.x #30471

Closed
wants to merge 5 commits into from
Closed

Update http parser 2.9.1 v10.x #30471

wants to merge 5 commits into from

Commits on Jan 10, 2020

  1. deps: upgrade http-parser to v2.9.1

    @sam-github
    sam-github committed Jan 10, 2020
    Configuration menu
    Copy the full SHA
    8e0206f View commit details
    Browse the repository at this point in the history

  2. deps,http: http_parser set max header size to 8KB 

    Reapplying HTTP_MAX_HEADER_SIZE=8192 to http_parser.gyp.

CVE-2018-12121

PR-URL: https://github.com/nodejs-private/node-private/pull/143
Ref: https://github.com/nodejs-private/security/issues/139
Ref: https://github.com/nodejs-private/http-parser-private/pull/2
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
    @mcollina @sam-github
    mcollina authored and sam-github committed Jan 10, 2020
    Configuration menu
    Copy the full SHA
    71737bc View commit details
    Browse the repository at this point in the history

  3. http: opt-in insecure HTTP header parsing 

    Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- nodejs#30553
- nodejs#27711 (comment)
- nodejs#30515

PR-URL: nodejs#30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
    @sam-github
    sam-github committed Jan 10, 2020
    Configuration menu
    Copy the full SHA
    056d8e5 View commit details
    Browse the repository at this point in the history

  4. test: check that --insecure-http-parser works 

    Test that using --insecure-http-parser will disable validation of
invalid characters in HTTP headers.

See:
- nodejs#30567

PR-URL: nodejs#31253
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
    @sam-github
    sam-github committed Jan 10, 2020
    Configuration menu
    Copy the full SHA
    58ec670 View commit details
    Browse the repository at this point in the history

Commits on Jan 24, 2020

  1. http: make --insecure-http-parser configurable per-stream or per-server 

    From the issue:

> Some servers deviate from HTTP spec enougth that Node.js can't
> communicate with them, but "work" when `--insecure-http-parser`
> is enabled globally. It would be useful to be able to use this
> mode, as a client, only when connecting to known bad servers.

This is largely equivalent to nodejs#31446
in terms of code changes.

Fixes: nodejs#31440
Refs: nodejs#31446

PR-URL: nodejs#31448
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
    @addaleax
    addaleax committed Jan 24, 2020
    Configuration menu
    Copy the full SHA
    22525e2 View commit details
    Browse the repository at this point in the history