Update http parser 2.9.1 v12.x #30473
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nodejs-github-bot
added
http_parser
gengjiawen
approved these changes
Nov 15, 2019
BethGriggs
force-pushed
the
v12.x-staging
branch
from
d96c765
to
b08601b
Compare
|
Should not be included until it can be released with a backport of #30567 |
sam-github
force-pushed
the
update-http_parser-2.9.1-v12.x
branch
from
2fec4f5
to
9ac0a2c
Compare
|
Since this introduces a breaking change in HTTP parsing I backported 02a0c74 on top of it. See:
Original commit message below, since it now applies to both parsers (lhttp-parser aka "legacy" and llhttp), I changed the description to:
|
sam-github
force-pushed
the
update-http_parser-2.9.1-v12.x
branch
from
ffc453a
to
945711e
Compare
sam-github
force-pushed
the
update-http_parser-2.9.1-v12.x
branch
from
945711e
to
f094fab
Compare
|
#31253 should also be backported onto this, I'll do it once it has been approved. |
|
@sam-github is this ready to land now? |
|
It lacks code review, and also see #30473 (comment), it lacks a unit test (as does master). 12.x just went out, I think this can wait a couple days to get the above in order, it'll land in time for the next 12.x release. |
targos
force-pushed
the
v12.x-staging
branch
2 times, most recently
from
3900f4a
to
32e5c39
Compare
sam-github
force-pushed
the
update-http_parser-2.9.1-v12.x
branch
2 times, most recently
from
11c2aac
to
d694bdb
Compare
Reapplying HTTP_MAX_HEADER_SIZE=8192 to http_parser.gyp. CVE-2018-12121 PR-URL: https://github.com/nodejs-private/node-private/pull/143 Ref: https://github.com/nodejs-private/security/issues/139 Ref: https://github.com/nodejs-private/http-parser-private/pull/2 Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs#30567 PR-URL: nodejs#31253 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
sam-github
force-pushed
the
update-http_parser-2.9.1-v12.x
branch
from
d694bdb
to
2e5037b
Compare
|
@nodejs/lts PTAL. Note that in the last commit, the backport of #31253 , I duplicated the test so that it runs with the legacy as well as the llhttp parser. |
4 tasks
jasnell
approved these changes
Jan 10, 2020
|
This is ready to land on v12.x-staging @nodejs/lts |
richardlau
approved these changes
Jan 10, 2020
MylesBorins
force-pushed
the
v12.x-staging
branch
from
10b7951
to
0a4cfef
Compare
sam-github
added
the
semver-minor
|
Marked |
targos
pushed a commit
that referenced
this pull request
Jan 14, 2020
PR-URL: #30473 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
targos
pushed a commit
that referenced
this pull request
Jan 14, 2020
Reapplying HTTP_MAX_HEADER_SIZE=8192 to http_parser.gyp. CVE-2018-12121 PR-URL: nodejs-private/node-private#143 Backport-PR-URL: #30473 Ref: nodejs-private/security#139 Ref: nodejs-private/http-parser-private#2 Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Anna Henningsen <anna@addaleax.net>
targos
pushed a commit
that referenced
this pull request
Jan 14, 2020
Allow insecure HTTP header parsing. Make clear it is insecure. See: - #30553 - #27711 (comment) - #30515 PR-URL: #30567 Backport-PR-URL: #30473 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
BethGriggs
pushed a commit
that referenced
this pull request
Feb 6, 2020
Reapplying HTTP_MAX_HEADER_SIZE=8192 to http_parser.gyp. CVE-2018-12121 PR-URL: nodejs-private/node-private#143 Backport-PR-URL: #30473 Ref: nodejs-private/security#139 Ref: nodejs-private/http-parser-private#2 Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Anna Henningsen <anna@addaleax.net>
zsw007
added a commit
to ibmruntimes/node
that referenced
this pull request
Feb 11, 2020
Backport d41314e Original commit message: PR-URL: nodejs/node#30473 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
zsw007
added a commit
to ibmruntimes/node
that referenced
this pull request
Feb 11, 2020
Backport 496736f Original commit message: Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs/node#30553 - nodejs/node#27711 (comment) - nodejs/node#30515 PR-URL: nodejs/node#30567 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
zsw007
added a commit
to ibmruntimes/node
that referenced
this pull request
Feb 11, 2020
Backport ab1fcb8 Original commit message: Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs/node#30567 PR-URL: nodejs/node#31253 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
zsw007
added a commit
to ibmruntimes/node
that referenced
this pull request
Feb 12, 2020
Backport 496736f Original commit message: Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs/node#30553 - nodejs/node#27711 (comment) - nodejs/node#30515 PR-URL: nodejs/node#30567 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
zsw007
added a commit
to ibmruntimes/node
that referenced
this pull request
Feb 12, 2020
Backport ab1fcb8 Original commit message: Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs/node#30567 PR-URL: nodejs/node#31253 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
zsw007
added a commit
to ibmruntimes/node
that referenced
this pull request
Feb 12, 2020
Backport d41314e Original commit message: PR-URL: nodejs/node#30473 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com>
zsw007
added a commit
to ibmruntimes/node
that referenced
this pull request
Feb 12, 2020
Backport 496736f Original commit message: Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs/node#30553 - nodejs/node#27711 (comment) - nodejs/node#30515 PR-URL: nodejs/node#30567 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
zsw007
added a commit
to ibmruntimes/node
that referenced
this pull request
Feb 12, 2020
Backport ab1fcb8 Original commit message: Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs/node#30567 PR-URL: nodejs/node#31253 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We don't use nodejs/http-parser in 13.x and master, but it exists on 8, 10, and 12, and has security fixes.
I suggest we update it, I PRed all three branches:
I'm not sure if this is right way, maybe I should have just PRed 12.x, and the backports would flow down? Except 8.x doesn't get a lot of updates, its likely worth getting these known sec fixes in before it's EOL.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes