diff options
author | Matteo Collina <hello@matteocollina.com> | 2018-08-23 17:46:07 +0300 |
---|---|---|
committer | Rod Vagg <rod@vagg.org> | 2018-11-27 07:07:09 +0300 |
commit | 696f063c5e9157fd10859515da00fd8bd190d76d (patch) | |
tree | fa1d77499696773138310b3bbf6c93065e38534d /doc | |
parent | 93dba83fb0fb46ee2ea87163f435392490b4d59b (diff) |
http,https: protect against slow headers attack
CVE-2018-12122
An attacker can send a char/s within headers and exahust the resources
(file descriptors) of a system even with a tight max header length
protection. This PR destroys a socket if it has not received the headers
in 40s.
PR-URL: https://github.com/nodejs-private/node-private/pull/151
Ref: https://github.com/nodejs-private/node-private/pull/144
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/api/http.md | 20 | ||||
-rw-r--r-- | doc/api/https.md | 7 |
2 files changed, 27 insertions, 0 deletions
diff --git a/doc/api/http.md b/doc/api/http.md index 9b0be0b61bc..9dc46b13f34 100644 --- a/doc/api/http.md +++ b/doc/api/http.md @@ -882,6 +882,26 @@ added: v0.7.0 Limits maximum incoming headers count. If set to 0 - no limit will be applied. +### server.headersTimeout +<!-- YAML +added: REPLACEME +--> + +* {number} **Default:** `40000` + +Limit the amount of time the parser will wait to receive the complete HTTP +headers. + +In case of inactivity, the rules defined in [server.timeout][] apply. However, +that inactivity based timeout would still allow the connection to be kept open +if the headers are being sent very slowly (by default, up to a byte per 2 +minutes). In order to prevent this, whenever header data arrives an additional +check is made that more than `server.headersTimeout` milliseconds has not +passed since the connection was established. If the check fails, a `'timeout'` +event is emitted on the server object, and (by default) the socket is destroyed. +See [server.timeout][] for more information on how timeout behaviour can be +customised. + ### server.setTimeout([msecs][, callback]) <!-- YAML added: v0.9.12 diff --git a/doc/api/https.md b/doc/api/https.md index ee023810f80..f6c0da5cbb0 100644 --- a/doc/api/https.md +++ b/doc/api/https.md @@ -36,6 +36,12 @@ See [`server.close()`][`http.close()`] from the HTTP module for details. Starts the HTTPS server listening for encrypted connections. This method is identical to [`server.listen()`][] from [`net.Server`][]. +### server.headersTimeout + +- {number} **Default:** `40000` + +See [`http.Server#headersTimeout`][]. + ### server.setTimeout([msecs][, callback]) <!-- YAML added: v0.11.2 @@ -253,6 +259,7 @@ const req = https.request(options, (res) => { [`URL`]: url.html#url_the_whatwg_url_api [`http.Agent`]: http.html#http_class_http_agent [`http.Server#keepAliveTimeout`]: http.html#http_server_keepalivetimeout +[`http.Server#headersTimeout`]: http.html#http_server_headerstimeout [`http.Server#setTimeout()`]: http.html#http_server_settimeout_msecs_callback [`http.Server#timeout`]: http.html#http_server_timeout [`http.Server`]: http.html#http_class_http_server |