diff options
Diffstat (limited to 'lib/_http_server.js')
-rw-r--r-- | lib/_http_server.js | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/lib/_http_server.js b/lib/_http_server.js index 96f05f5819..c171b1d3e7 100644 --- a/lib/_http_server.js +++ b/lib/_http_server.js @@ -37,7 +37,7 @@ const { _checkInvalidHeaderChar: checkInvalidHeaderChar } = require('_http_common'); const { OutgoingMessage } = require('_http_outgoing'); -const { outHeadersKey, ondrain } = require('internal/http'); +const { outHeadersKey, ondrain, nowDate } = require('internal/http'); const { defaultTriggerAsyncIdScope, getOrSetAsyncId @@ -306,6 +306,7 @@ function Server(options, requestListener) { this.keepAliveTimeout = 5000; this._pendingResponseData = 0; this.maxHeadersCount = null; + this.headersTimeout = 40 * 1000; // 40 seconds } util.inherits(Server, net.Server); @@ -344,6 +345,9 @@ function connectionListenerInternal(server, socket) { var parser = parsers.alloc(); parser.reinitialize(HTTPParser.REQUEST, parser[is_reused_symbol]); parser.socket = socket; + + // We are starting to wait for our headers. + parser.parsingHeadersStart = nowDate(); socket.parser = parser; // Propagate headers limit from server instance to parser @@ -481,7 +485,20 @@ function socketOnData(server, socket, parser, state, d) { function onParserExecute(server, socket, parser, state, ret) { socket._unrefTimer(); + const start = parser.parsingHeadersStart; debug('SERVER socketOnParserExecute %d', ret); + + // If we have not parsed the headers, destroy the socket + // after server.headersTimeout to protect from DoS attacks. + // start === 0 means that we have parsed headers. + if (start !== 0 && nowDate() - start > server.headersTimeout) { + const serverTimeout = server.emit('timeout', socket); + + if (!serverTimeout) + socket.destroy(); + return; + } + onParserExecuteCommon(server, socket, parser, state, ret, undefined); } @@ -598,6 +615,9 @@ function emitCloseNT(self) { function parserOnIncoming(server, socket, state, req, keepAlive) { resetSocketTimeout(server, socket, state); + // Set to zero to communicate that we have finished parsing. + socket.parser.parsingHeadersStart = 0; + if (req.upgrade) { req.upgrade = req.method === 'CONNECT' || server.listenerCount('upgrade') > 0; |