diff options
| author | Myles Borins <mylesborins@google.com> | 2017-10-13 08:10:44 +0300 |
|---|---|---|
| committer | Myles Borins <mylesborins@google.com> | 2017-10-24 17:59:57 +0300 |
| commit | c2b1435b5583f78de555b903f7aaab5a22e601eb (patch) | |
| tree | 75ad13d20504656d82a8be141f57bfa65776610b /doc | |
| parent | 78a6ef46a941359b7fa0d1101dce85d39c61726b (diff) | |
zlib: gracefully set windowBits from 8 to 9
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were
released. These versions bumped the vendored zlib library from
v1.2.8 to v1.2.11 in response to what it describes as low-severity
CVEs. In zlib v1.2.9, a change was made that causes an error to be
raised when a raw deflate stream is initialised with windowBits set
to 8.
In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib
module will crash if you call this:
```
zlib.createDeflateRaw({windowBits: 8})
```
On some versions this crashes Node and you cannot recover from it, while on some
versions it throws an exception. The permessage-deflate library up to
version v0.1.5 does make such a call with no try/catch
This commit reverts to the original behavior of zlib by gracefully changed
windowBits: 8 to windowBits: 9 for raw deflate streams.
PR-URL: https://github.com/nodejs-private/node-private/pull/95
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/api/zlib.md | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/doc/api/zlib.md b/doc/api/zlib.md index a8aebb585b0..85a3743a9a3 100644 --- a/doc/api/zlib.md +++ b/doc/api/zlib.md @@ -458,9 +458,13 @@ added: v0.5.8 Creates and returns a new [DeflateRaw][] object with the given [options][]. -*Note*: The zlib library rejects requests for 256-byte windows (i.e., -`{ windowBits: 8 }` in `options`). An `Error` will be thrown when creating -a [DeflateRaw][] object with this specific value of the `windowBits` option. +*Note*: An upgrade of zlib from 1.2.8 to 1.2.11 changed behavior when windowBits +is set to 8 for raw deflate streams. zlib does not have a working implementation +of an 8-bit Window for raw deflate streams and would automatically set windowBit +to 9 if initially set to 8. Newer versions of zlib will throw an exception. +This creates a potential DOS vector, and as such the behavior ahs been reverted +in Node.js 8, 6, and 4. Node.js version 9 and higher will throw when windowBits +is set to 8. ## zlib.createGunzip([options]) <!-- YAML |