04e16463d1
http: do not allow OBS fold in headers by default
...
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Fixes: https://hackerone.com/reports/2237099
PR-URL: https://github.com/nodejs-private/node-private/pull/556
CVE-ID: CVE-2024-27982
2024-04-03 11:38:30 -03:00
25a6fb6a07
deps: update llhttp to 9.2.0
...
PR-URL: https://github.com/nodejs/node/pull/51719
Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
2024-03-13 15:56:24 +00:00
df16c69983
doc: the GN files should use Node's license
...
PR-URL: https://github.com/nodejs/node/pull/50694
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tierney Cyren <hello@bnb.im>
2023-12-28 20:27:05 +00:00
32af45d241
build: add GN build files
...
PR-URL: https://github.com/nodejs/node/pull/47637
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
2023-11-11 09:51:05 +00:00
c6d650f179
deps: update llhttp to 9.1.3
...
PR-URL: https://github.com/nodejs/node/pull/50080
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
2023-10-24 13:49:09 -04:00
e9ff81016d
deps: update llhttp to 9.1.2
...
PR-URL: https://github.com/nodejs/node/pull/48981
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
2023-09-16 11:08:18 +00:00
2e6de554f6
http: disable request smuggling via empty headers
...
PR-URL: https://github.com/nodejs-private/node-private/pull/427
Fixes: https://hackerone.com/reports/2001873
Refs: https://github.com/nodejs-private/llhttp-private/pull/13
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2023-30589
2023-06-20 17:30:48 -03:00
0d575fe61a
gyp: put filenames in variables
...
PR-URL: https://github.com/nodejs/node/pull/46965
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
2023-03-18 10:24:38 +01:00
fd36a8dadb
deps: update llhttp to 8.1.0
...
PR-URL: https://github.com/nodejs/node/pull/44967
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
2022-10-12 15:36:23 +02:00
2e92e5b71d
http: disable chunked encoding when OBS fold is used
...
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
PR-URL: #341
CVE-ID: CVE-2022-32213, CVE-2022-32215, CVE-2022-35256
2022-09-23 12:37:02 -03:00
66531d51e9
tools: add update-llhttp.sh
...
PR-URL: https://github.com/nodejs/node/pull/44652
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
Co-authored-by: Tobias Nießen <tniessen@tnie.de>
Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
2022-09-19 16:00:52 +02:00
ec0d8da838
deps: upgrade llhttp to 6.0.9
...
PR-URL: https://github.com/nodejs/node/pull/44344
Fixes: https://github.com/nodejs/node/issues/43115
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2022-08-25 01:28:49 +00:00
d9b71f4c24
http: stricter Transfer-Encoding and header separator parsing
...
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/315
CVE-ID: CVE-2022-32215,CVE-2022-32214,CVE-2022-32212
2022-07-07 13:20:40 -03:00
c059921a9b
deps: fix llhttp version number
...
It's a bit confusing but I think that we acutally have
llhttp version 6.0.6 in master versus 6.0.4. If I check
out 6.0.4 from the llhttp repo and then generate a
release it is missing changes from what we have in Node.js
Checking out 6.0.6 seems to give the matching release
artifacts.
Signed-off-by: Michael Dawson <mdawson@devrus.com>
PR-URL: https://github.com/nodejs/node/pull/43029
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2022-05-12 11:27:03 -04:00
c2e3f85dde
deps: update llhttp to 6.0.4
...
Refs: https://hackerone.com/reports/1238099
Refs: https://hackerone.com/reports/1238709
Refs: https://github.com/nodejs-private/llhttp-private/pull/6
Refs: https://github.com/nodejs-private/llhttp-private/pull/5
CVE-ID: CVE-2021-22959
CVE-ID: CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/284
Reviewed-By: Akshay K <iit.akshay@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
2021-10-12 15:40:02 +01:00
d798de1c65
deps: update llhttp to 6.0.2
...
Fix : #37053
See: https://github.com/nodejs/llparse/pull/44
PR-URL: https://github.com/nodejs/node/pull/38665
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Daniele Belardi <dwon.dnl@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
2021-05-20 12:32:21 -07:00
8a973fd056
deps: update llhttp to 6.0.1
...
PR-URL: https://github.com/nodejs/node/pull/38359
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
2021-04-25 15:33:41 -07:00
bfee9daaa5
deps: update llhttp to 6.0.0
...
See: https://github.com/nodejs/node/pull/37678#issuecomment-821156758
PR-URL: https://github.com/nodejs/node/pull/38277
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
2021-04-19 01:37:27 +00:00
6a1986d50a
deps: update llhttp to 5.1.0
...
PR-URL: https://github.com/nodejs/node/pull/38146
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daniele Belardi <dwon.dnl@gmail.com>
2021-04-10 14:31:34 -07:00
051154e0e6
http: unset `F_CHUNKED` on new `Transfer-Encoding`
...
Duplicate `Transfer-Encoding` header should be a treated as a single,
but with original header values concatenated with a comma separator. In
the light of this, even if the past `Transfer-Encoding` ended with
`chunked`, we should be not let the `F_CHUNKED` to leak into the next
header, because mere presence of another header indicates that `chunked`
is not the last transfer-encoding token.
CVE-ID: CVE-2020-8287
Refs: https://github.com/nodejs-private/llhttp-private/pull/3
Refs: https://hackerone.com/bugs?report_id=1002188&subject=nodejs
PR-URL: https://github.com/nodejs-private/node-private/pull/228
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
2021-01-04 16:56:30 +00:00
a694dd25d1
deps: update llhttp to 2.1.3
...
PR-URL: https://github.com/nodejs/node/pull/35435
Refs: https://github.com/nodejs/llhttp/pull/65
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
2020-10-04 08:17:10 +02:00
cb90248c14
deps: update llhttp to 2.1.2
...
- update llhttp to 2.1.2
- modify test to support the latest llhttp
PR-URL: https://github.com/nodejs-private/node-private/pull/215
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
2020-09-15 15:39:45 -04:00
4c5b8dd7d8
deps: update llhttp to 2.0.4
...
PR-URL: https://github.com/nodejs-private/node-private/pull/199
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
2020-02-06 15:22:50 +01:00
a7d031bf5a
deps: update llhttp to 2.0.1
...
Changelog:
* Optional SSE4.2 support (at compile time)
* Lenient mode of operation
PR-URL: https://github.com/nodejs/node/pull/30553
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
2019-11-29 16:16:30 +01:00
c1f0cbe961
deps: update llhttp to 1.1.4
...
See: https://github.com/nodejs/llhttp/pull/26
PR-URL: https://github.com/nodejs/node/pull/28154
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
2019-06-12 14:47:59 -07:00
c476daf6d9
deps: update llhttp to 1.1.3
...
Fixes: https://github.com/nodejs/node/issues/27584
PR-URL: https://github.com/nodejs/node/pull/27595
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
2019-05-07 16:04:02 +02:00
7467a5d439
deps: update llhttp to 1.1.2
...
PR-URL: https://github.com/nodejs/node/pull/27513
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2019-05-05 13:31:38 +02:00
8855d1df72
deps: update llhttp to 1.1.1
...
PR-URL: https://github.com/nodejs/node/pull/25753
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
2019-02-09 14:52:14 +01:00
9d4b214106
deps: update llhttp to 1.0.1
...
Fix callback error reporting
PR-URL: https://github.com/nodejs/node/pull/24508
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
2018-11-21 14:23:27 -05:00
d4654d89be
deps: introduce `llhttp`
...
llhttp is modern, written in human-readable TypeScript, verifiable, and
is very easy to maintain.
See: https://github.com/indutny/llhttp
PR-URL: https://github.com/nodejs/node/pull/24059
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
2018-11-10 17:54:21 -05:00
Paolo Insogna
Node.js GitHub Bot
Cheng Zhao
Michael Dawson
Matteo Collina
Fedor Indutny
Beth Griggs