diff options
author | Matteo Collina <hello@matteocollina.com> | 2018-08-23 16:46:07 +0200 |
---|---|---|
committer | Rod Vagg <rod@vagg.org> | 2018-11-28 11:36:34 +1100 |
commit | ee618a7ab239c98d945c723a4e225bc409151736 (patch) | |
tree | b70be2ea28bb3773d6c455a61a273cf8c5edbfb8 /doc/api/https.md | |
parent | 7bfcfc2ffe4940898cf7b70890a55eb91cbdd112 (diff) | |
download | android-node-v8-ee618a7ab239c98d945c723a4e225bc409151736.tar.gz android-node-v8-ee618a7ab239c98d945c723a4e225bc409151736.tar.bz2 android-node-v8-ee618a7ab239c98d945c723a4e225bc409151736.zip |
http,https: protect against slow headers attack
CVE-2018-12122
An attacker can send a char/s within headers and exahust the resources
(file descriptors) of a system even with a tight max header length
protection. This PR destroys a socket if it has not received the headers
in 40s.
PR-URL: https://github.com/nodejs-private/node-private/pull/144
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'doc/api/https.md')
-rw-r--r-- | doc/api/https.md | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/api/https.md b/doc/api/https.md index 777fbab741..81a5bcce93 100644 --- a/doc/api/https.md +++ b/doc/api/https.md @@ -44,6 +44,12 @@ This method is identical to [`server.listen()`][] from [`net.Server`][]. See [`http.Server#maxHeadersCount`][]. +### server.headersTimeout + +- {number} **Default:** `40000` + +See [`http.Server#headersTimeout`][]. + ### server.setTimeout([msecs][, callback]) <!-- YAML added: v0.11.2 @@ -363,6 +369,7 @@ headers: max-age=0; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; p [`http.Agent`]: http.html#http_class_http_agent [`http.Server#keepAliveTimeout`]: http.html#http_server_keepalivetimeout [`http.Server#maxHeadersCount`]: http.html#http_server_maxheaderscount +[`http.Server#headersTimeout`]: http.html#http_server_headerstimeout [`http.Server#setTimeout()`]: http.html#http_server_settimeout_msecs_callback [`http.Server#timeout`]: http.html#http_server_timeout [`http.Server`]: http.html#http_class_http_server |