-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update http parser 2.9.1 v12.x #30473
Update http parser 2.9.1 v12.x #30473
Conversation
d96c765
to
b08601b
Compare
Should not be included until it can be released with a backport of #30567 |
2fec4f5
to
9ac0a2c
Compare
Since this introduces a breaking change in HTTP parsing I backported 02a0c74 on top of it. See:
Original commit message below, since it now applies to both parsers (lhttp-parser aka "legacy" and llhttp), I changed the description to:
|
ffc453a
to
945711e
Compare
945711e
to
f094fab
Compare
#31253 should also be backported onto this, I'll do it once it has been approved. |
@sam-github is this ready to land now? |
It lacks code review, and also see #30473 (comment), it lacks a unit test (as does master). 12.x just went out, I think this can wait a couple days to get the above in order, it'll land in time for the next 12.x release. |
3900f4a
to
32e5c39
Compare
11c2aac
to
d694bdb
Compare
Reapplying HTTP_MAX_HEADER_SIZE=8192 to http_parser.gyp. CVE-2018-12121 PR-URL: https://github.com/nodejs-private/node-private/pull/143 Ref: https://github.com/nodejs-private/security/issues/139 Ref: https://github.com/nodejs-private/http-parser-private/pull/2 Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs#30567 PR-URL: nodejs#31253 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
d694bdb
to
2e5037b
Compare
@nodejs/lts PTAL. Note that in the last commit, the backport of #31253 , I duplicated the test so that it runs with the legacy as well as the llhttp parser. |
This is ready to land on v12.x-staging @nodejs/lts |
10b7951
to
0a4cfef
Compare
Marked |
PR-URL: #30473 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reapplying HTTP_MAX_HEADER_SIZE=8192 to http_parser.gyp. CVE-2018-12121 PR-URL: nodejs-private/node-private#143 Backport-PR-URL: #30473 Ref: nodejs-private/security#139 Ref: nodejs-private/http-parser-private#2 Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Allow insecure HTTP header parsing. Make clear it is insecure. See: - #30553 - #27711 (comment) - #30515 PR-URL: #30567 Backport-PR-URL: #30473 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Reapplying HTTP_MAX_HEADER_SIZE=8192 to http_parser.gyp. CVE-2018-12121 PR-URL: nodejs-private/node-private#143 Backport-PR-URL: #30473 Ref: nodejs-private/security#139 Ref: nodejs-private/http-parser-private#2 Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Backport d41314e Original commit message: PR-URL: nodejs/node#30473 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Backport 496736f Original commit message: Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs/node#30553 - nodejs/node#27711 (comment) - nodejs/node#30515 PR-URL: nodejs/node#30567 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Backport ab1fcb8 Original commit message: Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs/node#30567 PR-URL: nodejs/node#31253 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Backport 496736f Original commit message: Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs/node#30553 - nodejs/node#27711 (comment) - nodejs/node#30515 PR-URL: nodejs/node#30567 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Backport ab1fcb8 Original commit message: Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs/node#30567 PR-URL: nodejs/node#31253 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Backport d41314e Original commit message: PR-URL: nodejs/node#30473 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Backport 496736f Original commit message: Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs/node#30553 - nodejs/node#27711 (comment) - nodejs/node#30515 PR-URL: nodejs/node#30567 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Backport ab1fcb8 Original commit message: Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs/node#30567 PR-URL: nodejs/node#31253 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
We don't use nodejs/http-parser in 13.x and master, but it exists on 8, 10, and 12, and has security fixes.
I suggest we update it, I PRed all three branches:
I'm not sure if this is right way, maybe I should have just PRed 12.x, and the backports would flow down? Except 8.x doesn't get a lot of updates, its likely worth getting these known sec fixes in before it's EOL.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes