diff options
author | Sam Roberts <vieuxtech@gmail.com> | 2019-11-20 22:48:58 +0300 |
---|---|---|
committer | Michaƫl Zasso <targos@protonmail.com> | 2019-12-10 12:09:38 +0300 |
commit | daca0780b133801322ef56d3288f38b0333f864b (patch) | |
tree | 5136ff9e421c48216301e1113db1d145f51fa3a0 /src | |
parent | 7e1dee334729beb65db52586f90703385b40da61 (diff) |
http: llhttp opt-in insecure HTTP header parsing
Allow insecure HTTP header parsing. Make clear it is insecure.
See:
- https://github.com/nodejs/node/pull/30553
- https://github.com/nodejs/node/issues/27711#issuecomment-556265881
- https://github.com/nodejs/node/issues/30515
PR-URL: https://github.com/nodejs/node/pull/30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/node_http_parser.cc | 7 | ||||
-rw-r--r-- | src/node_options.cc | 4 | ||||
-rw-r--r-- | src/node_options.h | 2 |
3 files changed, 11 insertions, 2 deletions
diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc index 0328dc7c0f6..5e1da912e0c 100644 --- a/src/node_http_parser.cc +++ b/src/node_http_parser.cc @@ -486,11 +486,13 @@ class Parser : public AsyncWrap, public StreamListener { static void Initialize(const FunctionCallbackInfo<Value>& args) { Environment* env = Environment::GetCurrent(args); + bool lenient = args[3]->IsTrue(); uint64_t max_http_header_size = 0; CHECK(args[0]->IsInt32()); CHECK(args[1]->IsObject()); + if (args.Length() > 2) { CHECK(args[2]->IsNumber()); max_http_header_size = args[2].As<Number>()->Value(); @@ -515,7 +517,7 @@ class Parser : public AsyncWrap, public StreamListener { parser->set_provider_type(provider); parser->AsyncReset(args[1].As<Object>()); - parser->Init(type, max_http_header_size); + parser->Init(type, max_http_header_size, lenient); } template <bool should_pause> @@ -762,8 +764,9 @@ class Parser : public AsyncWrap, public StreamListener { } - void Init(llhttp_type_t type, uint64_t max_http_header_size) { + void Init(llhttp_type_t type, uint64_t max_http_header_size, bool lenient) { llhttp_init(&parser_, type, &settings); + llhttp_set_lenient(&parser_, lenient); header_nread_ = 0; url_.Reset(); status_message_.Reset(); diff --git a/src/node_options.cc b/src/node_options.cc index abf26fb7819..831540f993f 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -375,6 +375,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { &EnvironmentOptions::heap_snapshot_signal, kAllowedInEnvironment); AddOption("--http-parser", "", NoOp{}, kAllowedInEnvironment); + AddOption("--insecure-http-parser", + "use an insecure HTTP parser that accepts invalid HTTP headers", + &EnvironmentOptions::insecure_http_parser, + kAllowedInEnvironment); AddOption("--input-type", "set module type for string input", &EnvironmentOptions::module_type, diff --git a/src/node_options.h b/src/node_options.h index c4cb5dc04f1..7b3ae19fe6c 100644 --- a/src/node_options.h +++ b/src/node_options.h @@ -158,6 +158,8 @@ class EnvironmentOptions : public Options { bool print_eval = false; bool force_repl = false; + bool insecure_http_parser = false; + bool tls_min_v1_0 = false; bool tls_min_v1_1 = false; bool tls_min_v1_2 = false; |