Snapshots speed up start-up by a few milliseconds but are potentially
dangerous because of the fixed hash seed that is used for strings and
dictionaries, making collision denial-of-service attacks possible.
Release builds on iojs.org have snapshots disabled but source builds
did not, until now.
The risk for individual source builds is low; the binary gets a random
32 bits hash seed that should be hard to guess by an external attacker.
It's when binaries are distributed by, for example, a distro vendor
that the fixed hash seed becomes a vulnerability, because then it's
possible to target a large group of people at once.
People that really need the faster start-up time can use the new
--with-snapshot configure flag.
PR-URL: https://github.com/iojs/io.js/pull/585
Reviewed-By: Bert Belder <bertbelder@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rod Vagg <rod@vagg.org>
There is no need to check `flowing` since `resume` does
nothing when `flowing` is already true.
PR-URL: https://github.com/iojs/io.js/pull/511
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Notable changes:
* npm upgrade to 2.3.0 fixes Windows "uid is undefined" errors
* crypto.pseudoRandomBytes() is now an alias for crypto.randomBytes()
and will block if there is insufficient entropy to produce secure
values. See https://github.com/iojs/io.js/commit/e5e5980 for details.
* Patch for V8 to properly detect ARMv6; binaries now work again on
ARMv6 (Raspberry Pi etc.)
* Minor V8 upgrade from 4.1.0.7 to 4.1.0.12
* 'punycode' core module bumped from stability level 2-Unstable,
to 3-Stable
* Added new collaborators:
- Thorsten Lorenz (@thlorenz)
- Stephen Belanger (@qard)
- Jeremiah Senkpiel (@fishrock123)
- Evan Lucas (@evanlucas)
- Brendan Ashworth (@brendanashworth)
Using the new tools/update-authors.sh script so this is
redundant
PR-URL: https://github.com/iojs/io.js/pull/582
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Moment of truth?
PR-URL: https://github.com/iojs/io.js/pull/587
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Brendan Ashworth <brendan.ashworth@me.com>
Previously `toc.markdown` was alphabetized but `all.markdown` was not.
PR-URL: https://github.com/iojs/io.js/pull/566
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
PR-URL: #580
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
* Fetch from the correct url.
* Link compiled addons with iojs.lib instead of node.lib.
* Disable checksum checks for iojs.lib until our website supports
them.
PR: https://github.com/iojs/io.js/pull/422
Reviewed-by: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-by: Rod Vagg <rod@vagg.org>
* Windows improvements: no more uid is undefined errors, use `%COMSPEC%`
when set in preference to hardcoded `cmd`, improved handling of Git
remotes.
* Add caching based on Last-Modified / If-Modified-Since headers in
addition to Etag-based cache validation.
PR-URL: https://github.com/iojs/io.js/pull/573
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
When address is not provided to `server.listen()`, `_connectionKey` and
error messages should include actual address and correct family.
PR-URL: https://github.com/iojs/io.js/pull/539
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
It is supposed to test an internal debug feature but what it effectively
ends up testing, is the exact lifecyle of different kinds of internal
handles.
Lifecycles are different across releases and platforms, making the test
fail intermittently or, in some environments, consistently. It's not a
good test, delete it.
PR-URL: https://github.com/iojs/io.js/pull/575
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Ameliorate a timing sensitivity issue by switching from setImmediate()
to setTimeout() with a 50 ms timeout.
This commit also adds EPIPE as an accepted error (besides ECONNABORT
and ECONNRESET) because that's a plausible outcome given the timing
sensitive nature of test.
PR-URL: https://github.com/iojs/io.js/pull/575
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
The test expects EADDRNOTAVAIL when trying to bind to address 111::1.
Systems that have IPv6 disabled throw EAFNOSUPPORT instead, however.
Update the test accordingly.
PR-URL: https://github.com/iojs/io.js/pull/575
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Overriding module argument with const causes a SyntaxError. This
commit changes the variable name to remove the error.
PR-URL: https://github.com/iojs/io.js/pull/572
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
This commit introduces a nop function that is used as the
Writable.prototype.write() callback when one is not provided.
This saves on function object creation.
PR-URL: https://github.com/iojs/io.js/pull/564
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
The punycode library has been in the tree for over three years now and
has been de facto stable for all that time, if not perhaps de jure.
Let's make it official.
PR-URL: https://github.com/iojs/io.js/pull/470
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Previously pseudoRandomBytes worked similarly to randomBytes but in the
event of insufficient entropy would silently return non-secure values.
As of f68a116, the entropy pool blocks if there is insufficient entropy
instead of giving an error so there is now no longer a case where
pseudoRandomBytes would act differently than randomBytes.
Docs are updated to remove pseudoRandomBytes and to clarify that
randomBytes now does block instead of erring when entropy is low.
PR-URL: https://github.com/iojs/io.js/pull/557
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Remove the configure check, the flag was dropped in V8 3.28.
PR-URL: https://github.com/iojs/io.js/pull/559
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Updates the docs for the crypto.pseudoRandomBytes function
to more explicitly detail how it's the same as crypto.randomBytes
just without a safety net (e.g. it doesn't throw an error when
there is low entropy).
PR-URL: https://github.com/iojs/io.js/pull/545
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
`url.format()` doesn't take a `path` option; the change that
introduced it was reverted in 913addbff5.
PR: https://github.com/iojs/io.js/pull/546
Reviewed-by: Ben Noordhuis <info@bnoordhuis.nl>
These flags were defined as constants, but could be
overwritten when exported from fs. This commit exports
the flags as read only properties of fs.
PR-URL: https://github.com/iojs/io.js/pull/507
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
This commit replaces a number of var statements throughout
the lib code with const statements.
PR-URL: https://github.com/iojs/io.js/pull/541
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Since setting object properties in C++ can be slow, pass
data to JS using preallocated smalloc buffer and create
object in JS instead.
PR-URL: https://github.com/iojs/io.js/pull/469
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Mark several methods "override" in order to remove build warnings.
PR-URL: https://github.com/iojs/io.js/pull/531
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This can make node_is_initialized correctly set to true for applications
that use node::Init to embed iojs.
PR-URL: https://github.com/iojs/io.js/pull/225/
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Remove a few unused or barely used macros from src/node_file.cc.
PR-URL: https://github.com/iojs/io.js/pull/529
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Rename the misnomers ASSERT_IS_STRING_OR_BUFFER and ASSERT_IS_BUFFER.
Said macros don't assert, they throw a TypeError and return.
PR-URL: https://github.com/iojs/io.js/pull/529
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Ben Noordhuis
Johan Bergström
cjihrig
Fedor Indutny
Nikolai Vavilov
Vladimir Kurchatkin
Jonathan Ong
Rod Vagg
Andres Suarez
Brendan Ashworth
Evan Lucas
Brendan Ashworth
Fishrock123
Stephen Belanger
Bert Belder
Forrest L Norvell
Thorsten Lorenz
Icer Liang
Todd Kennedy
Calvin Metcalf
Jackson Tian
Yosuke Furukawa
Trevor Norris
Cheng Zhao