Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update http-parser for CVE. #1388

Merged
merged 1 commit into from
Feb 10, 2020
Merged

Update http-parser for CVE. #1388

merged 1 commit into from
Feb 10, 2020
+266 −68

Conversation

Lukasa
Copy link
Contributor

@Lukasa Lukasa commented Feb 10, 2020

Motivation:

http-parser shipped a patche for node.js CVE-2019-15605, which allowed
HTTP request smuggling. This affected SwiftNIO as well, and so we need
to immediately ship an update to help protect affected users.

A CVE for SwiftNIO will follow, but as this patch is in the wild and
SwiftNIO is known to be affected we should not delay shipping this fix.

Modifications:

  • Update http-parser.
  • Add regression tests to validate this behaviour.

Result:

Close request smugging vector.

(cherry picked from commit f94b22b)

@Lukasa
Update http-parser for CVE.
560cdfb 
Motivation:

http-parser shipped a patche for node.js CVE-2019-15605, which allowed
HTTP request smuggling. This affected SwiftNIO as well, and so we need
to immediately ship an update to help protect affected users.

A CVE for SwiftNIO will follow, but as this patch is in the wild and
SwiftNIO is known to be affected we should not delay shipping this fix.

Modifications:

- Update http-parser.
- Add regression tests to validate this behaviour.

Result:

Close request smugging vector.

(cherry picked from commit f94b22b)
@Lukasa Lukasa added the semver/patch No public API change. label Feb 10, 2020
@Lukasa Lukasa requested a review from weissi February 10, 2020 15:07
@Lukasa
Copy link
Contributor Author

Lukasa commented Feb 10, 2020

The 1.14 CI seems to be entirely busted (cc @tomerd) but we've validated this fix locally, so we're going to ship it anyway.

weissi
weissi approved these changes Feb 10, 2020
View reviewed changes
Copy link
Member

@weissi weissi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, happy for that to go in without a CI run.

@Lukasa Lukasa merged commit 8da5c5a into apple:nio-1.14 Feb 10, 2020
@Lukasa Lukasa deleted the cb-nio-1.14-http-parser-fix branch February 10, 2020 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@normanmaurer normanmaurer normanmaurer approved these changes

@weissi weissi weissi approved these changes

Assignees
No one assigned
Labels
semver/patch No public API change.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Lukasa @normanmaurer @weissi