* http: allow multiple WebSocket RFC6455 headers (Einar Otto Stangvik) * http: allow multiple WWW-Authenticate headers (Ben Noordhuis) * windows: support unicode argv and environment variables (Bert Belder) * tls: mitigate session renegotiation attacks (Ben Noordhuis) * tcp, pipe: don't assert on uv_accept() errors (Ben Noordhuis) * tls: Allow establishing secure connection on the existing socket (koichik) * dgram: handle close of dgram socket before DNS lookup completes (Seth Fitzsimmons) * windows: Support half-duplex pipes (Igor Zinkovsky) * build: disable omit-frame-pointer on solaris systems (Dave Pacheco) * debugger: fix --debug-brk (Ben Noordhuis) * net: fix large file downloads failing (koichik) * fs: fix ReadStream failure to read from existing fd (Christopher Jeffrey) * net: destroy socket on DNS error (Stefan Rusu) * dtrace: add missing translator (Dave Pacheco) * unix: don't flush tty on switch to raw mode (Ben Noordhuis) * windows: reset brightness when reverting to default text color (Bert Belder) * npm: update to 1.1.1 - Update which, fstream, mkdirp, request, and rimraf - Fix #2123 Set path properly for lifecycle scripts on windows - Mark the root as seen, so we don't recurse into it. Fixes #1838. (Martin Cooper)
This commit fixes a bug where the cluster module failed to propagate EADDRINUSE errors. When a worker starts a (net, http) server, it requests the listen socket from its master who then creates and binds the socket. Now, OS X and Windows don't always signal EADDRINUSE from bind() but instead defer the error until a later syscall. libuv mimics this behaviour to provide consistent behaviour across platforms but that means the worker could end up with a socket that is not actually bound to the requested addresss. That's why the worker now checks if the socket is bound, raising EADDRINUSE if that's not the case. Fixes #2721.
CommandLineToArgvW doesn't behave exactly the same as the crt, which makes it useless. This reverts commit ef032cb.
The TLS protocol allows (and sometimes requires) clients to renegotiate the session. However, renegotiation requires a disproportional amount of server-side resources, particularly CPU time, which makes it a potential vector for denial-of-service attacks. To mitigate this issue, we keep track of and limit the number of renegotiation requests over time, emitting an error if the threshold is exceeded.