From 02a0c74861c3107e6a9a1752e91540f8d4c49a76 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Wed, 20 Nov 2019 11:48:58 -0800
Subject: http: llhttp opt-in insecure HTTP header parsing

Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- https://github.com/nodejs/node/pull/30553
- https://github.com/nodejs/node/issues/27711#issuecomment-556265881
- https://github.com/nodejs/node/issues/30515

PR-URL: https://github.com/nodejs/node/pull/30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 lib/_http_client.js |  4 +++-
 lib/_http_common.js | 13 +++++++++++++
 lib/_http_server.js |  4 +++-
 3 files changed, 19 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/_http_client.js b/lib/_http_client.js
index ece93d14e0..7888ce27d5 100644
--- a/lib/_http_client.js
+++ b/lib/_http_client.js
@@ -39,6 +39,7 @@ const {
   freeParser,
   parsers,
   HTTPParser,
+  isLenient,
   prepareError,
 } = require('_http_common');
 const { OutgoingMessage } = require('_http_outgoing');
@@ -676,7 +677,8 @@ function tickOnSocket(req, socket) {
   req.socket = socket;
   parser.initialize(HTTPParser.RESPONSE,
                     new HTTPClientAsyncResource('HTTPINCOMINGMESSAGE', req),
-                    req.maxHeaderSize || 0);
+                    req.maxHeaderSize || 0,
+                    isLenient());
   parser.socket = socket;
   parser.outgoing = req;
   req.parser = parser;
diff --git a/lib/_http_common.js b/lib/_http_common.js
index dc6eba6333..f1386e1a09 100644
--- a/lib/_http_common.js
+++ b/lib/_http_common.js
@@ -28,6 +28,8 @@ const {
 const { setImmediate } = require('timers');
 
 const { methods, HTTPParser } = internalBinding('http_parser');
+const { getOptionValue } = require('internal/options');
+const insecureHTTPParser = getOptionValue('--insecure-http-parser');
 
 const FreeList = require('internal/freelist');
 const incoming = require('_http_incoming');
@@ -237,6 +239,16 @@ function prepareError(err, parser, rawPacket) {
     err.message = `Parse Error: ${err.reason}`;
 }
 
+let warnedLenient = false;
+
+function isLenient() {
+  if (insecureHTTPParser && !warnedLenient) {
+    warnedLenient = true;
+    process.emitWarning('Using insecure HTTP parsing');
+  }
+  return insecureHTTPParser;
+}
+
 module.exports = {
   _checkInvalidHeaderChar: checkInvalidHeaderChar,
   _checkIsHttpToken: checkIsHttpToken,
@@ -249,5 +261,6 @@ module.exports = {
   parsers,
   kIncomingMessage,
   HTTPParser,
+  isLenient,
   prepareError,
 };
diff --git a/lib/_http_server.js b/lib/_http_server.js
index 192d0ddfb7..18b4e8d4a2 100644
--- a/lib/_http_server.js
+++ b/lib/_http_server.js
@@ -39,6 +39,7 @@ const {
   chunkExpression,
   kIncomingMessage,
   HTTPParser,
+  isLenient,
   _checkInvalidHeaderChar: checkInvalidHeaderChar,
   prepareError,
 } = require('_http_common');
@@ -410,7 +411,8 @@ function connectionListenerInternal(server, socket) {
   parser.initialize(
     HTTPParser.REQUEST,
     new HTTPServerAsyncResource('HTTPINCOMINGMESSAGE', socket),
-    server.maxHeaderSize || 0
+    server.maxHeaderSize || 0,
+    isLenient(),
   );
   parser.socket = socket;
 
-- 
cgit v1.2.3