http2: handle 0-length headers better

Ignore headers with 0-length names and track memory for headers the way we track it for other HTTP/2 session memory too. This is intended to mitigate CVE-2019-9516. Backport-PR-URL: https://github.com/nodejs/node/pull/29123 PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
author: Anna Henningsen <anna@addaleax.net> 2019-08-11 00:10:54 +0300
committer: Beth Griggs <Bethany.Griggs@uk.ibm.com> 2019-08-15 17:20:32 +0300
commit: f4242e24f9f4fb185909f040cbd2dd889d79439b (patch)
tree: f3bc068413084c0a87ee18d6f88dbe5f94f71eac /test
parent: 477461a51f64ec6969654d98018281b0ba2a5464 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/test/parallel/test-http2-zero-length-header.js b/test/parallel/test-http2-zero-length-header.js
new file mode 100644
index 00000000000..7b142d75f00
--- /dev/null
+++ b/test/parallel/test-http2-zero-length-header.js
@@ -0,0 +1,25 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const http2 = require('http2');
+
+const server = http2.createServer();
+server.on('stream', (stream, headers) => {
+  assert.deepStrictEqual(headers, {
+    ':scheme': 'http',
+    ':authority': `localhost:${server.address().port}`,
+    ':method': 'GET',
+    ':path': '/',
+    'bar': '',
+    '__proto__': null
+  });
+  stream.session.destroy();
+  server.close();
+});
+server.listen(0, common.mustCall(() => {
+  const client = http2.connect(`http://localhost:${server.address().port}/`);
+  client.request({ ':path': '/', '': 'foo', 'bar': '' }).end();
+}));
author	Anna Henningsen <anna@addaleax.net>	2019-08-11 00:10:54 +0300
committer	Beth Griggs <Bethany.Griggs@uk.ibm.com>	2019-08-15 17:20:32 +0300
commit	f4242e24f9f4fb185909f040cbd2dd889d79439b (patch)
tree	f3bc068413084c0a87ee18d6f88dbe5f94f71eac /test
parent	477461a51f64ec6969654d98018281b0ba2a5464 (diff)