http: Emit all socket errors on the request object #4620

wants to merge 1 commit into


None yet

1 participant

isaacs commented Jan 18, 2013

This fixes #3945

The potential hazard is that anyone who doesn't add a req.on('error', handler) in their http server is now vulnerable to a DoS attack. Perhaps we should check for a req.listeners('error').length before emitting on the request?

/cc @bnoordhuis @piscisaureus

isaacs commented Jan 18, 2013

Actually, it looks like we already are protecting against session reneg attacks, but the error was just going to the server.clientError event, which no one listens to.

So, in the case of http errors, is it better to have these sockets just silently killed, or raise them on the request object? I'm inclined to think that what we're doing already is better.

@isaacs isaacs closed this Jan 18, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment