diff options
author | Sam Roberts <vieuxtech@gmail.com> | 2019-11-20 11:48:58 -0800 |
---|---|---|
committer | Sam Roberts <vieuxtech@gmail.com> | 2019-12-09 09:56:16 -0800 |
commit | 02a0c74861c3107e6a9a1752e91540f8d4c49a76 (patch) | |
tree | 53a80ba610ef1bf7a965b8d0b1ee60c1f2c497d6 /lib | |
parent | d7b8ae72d97557571c577a865c37e7a5b196a332 (diff) | |
download | android-node-v8-02a0c74861c3107e6a9a1752e91540f8d4c49a76.tar.gz android-node-v8-02a0c74861c3107e6a9a1752e91540f8d4c49a76.tar.bz2 android-node-v8-02a0c74861c3107e6a9a1752e91540f8d4c49a76.zip |
http: llhttp opt-in insecure HTTP header parsing
Allow insecure HTTP header parsing. Make clear it is insecure.
See:
- https://github.com/nodejs/node/pull/30553
- https://github.com/nodejs/node/issues/27711#issuecomment-556265881
- https://github.com/nodejs/node/issues/30515
PR-URL: https://github.com/nodejs/node/pull/30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/_http_client.js | 4 | ||||
-rw-r--r-- | lib/_http_common.js | 13 | ||||
-rw-r--r-- | lib/_http_server.js | 4 |
3 files changed, 19 insertions, 2 deletions
diff --git a/lib/_http_client.js b/lib/_http_client.js index ece93d14e0..7888ce27d5 100644 --- a/lib/_http_client.js +++ b/lib/_http_client.js @@ -39,6 +39,7 @@ const { freeParser, parsers, HTTPParser, + isLenient, prepareError, } = require('_http_common'); const { OutgoingMessage } = require('_http_outgoing'); @@ -676,7 +677,8 @@ function tickOnSocket(req, socket) { req.socket = socket; parser.initialize(HTTPParser.RESPONSE, new HTTPClientAsyncResource('HTTPINCOMINGMESSAGE', req), - req.maxHeaderSize || 0); + req.maxHeaderSize || 0, + isLenient()); parser.socket = socket; parser.outgoing = req; req.parser = parser; diff --git a/lib/_http_common.js b/lib/_http_common.js index dc6eba6333..f1386e1a09 100644 --- a/lib/_http_common.js +++ b/lib/_http_common.js @@ -28,6 +28,8 @@ const { const { setImmediate } = require('timers'); const { methods, HTTPParser } = internalBinding('http_parser'); +const { getOptionValue } = require('internal/options'); +const insecureHTTPParser = getOptionValue('--insecure-http-parser'); const FreeList = require('internal/freelist'); const incoming = require('_http_incoming'); @@ -237,6 +239,16 @@ function prepareError(err, parser, rawPacket) { err.message = `Parse Error: ${err.reason}`; } +let warnedLenient = false; + +function isLenient() { + if (insecureHTTPParser && !warnedLenient) { + warnedLenient = true; + process.emitWarning('Using insecure HTTP parsing'); + } + return insecureHTTPParser; +} + module.exports = { _checkInvalidHeaderChar: checkInvalidHeaderChar, _checkIsHttpToken: checkIsHttpToken, @@ -249,5 +261,6 @@ module.exports = { parsers, kIncomingMessage, HTTPParser, + isLenient, prepareError, }; diff --git a/lib/_http_server.js b/lib/_http_server.js index 192d0ddfb7..18b4e8d4a2 100644 --- a/lib/_http_server.js +++ b/lib/_http_server.js @@ -39,6 +39,7 @@ const { chunkExpression, kIncomingMessage, HTTPParser, + isLenient, _checkInvalidHeaderChar: checkInvalidHeaderChar, prepareError, } = require('_http_common'); @@ -410,7 +411,8 @@ function connectionListenerInternal(server, socket) { parser.initialize( HTTPParser.REQUEST, new HTTPServerAsyncResource('HTTPINCOMINGMESSAGE', socket), - server.maxHeaderSize || 0 + server.maxHeaderSize || 0, + isLenient(), ); parser.socket = socket; |