You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When setting response headers, if the headers contain any characters which match the regex /[^\t\x20-\x7e\x80-\xff]/ then the entire NodeJS process will die (not just a 500).
Not sure it needs fixing as it can be avoided. I'm just curious why this exception is not caught and instead leads to the Node process dying.
Reproduction
Plausible example of +page.server.js redirecting to a user-controlled value (setting Location header) which could contain null bytes or newlines.
Note that this occurs the same regardless of whether load is marked as async or not.
Logs
node:internal/errors:484
ErrorCaptureStackTrace(err);
^
TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["location"]
at ServerResponse.setHeader (node:_http_outgoing:647:3)
at ServerResponse.writeHead (node:_http_server:377:21)
at setResponse (file:///.../node_modules/@sveltejs/kit/src/exports/node/index.js:118:6)
at file:///.../node_modules/@sveltejs/kit/src/exports/vite/dev/index.js:529:6
at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
code: 'ERR_INVALID_CHAR'
}
Node.js v18.12.1
System Info
Binaries:
Node: 18.12.1 - ~/.nvm/versions/node/v18.12.1/bin/node
Yarn: 1.22.19 - ~/.nvm/versions/node/v18.12.1/bin/yarn
npm: 8.19.2 - ~/.nvm/versions/node/v18.12.1/bin/npm
npmPackages:
@sveltejs/adapter-auto: next => 2.0.0
@sveltejs/kit: next => 1.15.2
svelte: next => 3.58.0
vite: ^4.2.0 => 4.2.1
Severity
serious, but I can work around it
Additional Information
Could maybe be used for Denial of Service (DoS)
The text was updated successfully, but these errors were encountered:
Describe the bug
When setting response headers, if the headers contain any characters which match the regex /[^\t\x20-\x7e\x80-\xff]/ then the entire NodeJS process will die (not just a 500).
Not sure it needs fixing as it can be avoided. I'm just curious why this exception is not caught and instead leads to the Node process dying.
Reproduction
Plausible example of
+page.server.js
redirecting to a user-controlled value (setting Location header) which could contain null bytes or newlines.Example repo to run https://github.com/bcaller/svelte-tip/blob/master/src/routes/%2Bpage.server.ts
Then hit
/?n=%0D
or/?n=%00
or/?n=%1e
.Note that this occurs the same regardless of whether load is marked as
async
or not.Logs
System Info
Severity
serious, but I can work around it
Additional Information
Could maybe be used for Denial of Service (DoS)
The text was updated successfully, but these errors were encountered: