http: Emit all socket errors on the request object #4620

Closed
wants to merge 1 commit into
from

Projects

None yet

1 participant

@isaacs
isaacs commented Jan 18, 2013

This fixes #3945

The potential hazard is that anyone who doesn't add a req.on('error', handler) in their http server is now vulnerable to a DoS attack. Perhaps we should check for a req.listeners('error').length before emitting on the request?

/cc @bnoordhuis @piscisaureus

@isaacs
isaacs commented Jan 18, 2013

Actually, it looks like we already are protecting against session reneg attacks, but the error was just going to the server.clientError event, which no one listens to.

So, in the case of http errors, is it better to have these sockets just silently killed, or raise them on the request object? I'm inclined to think that what we're doing already is better.

@isaacs isaacs closed this Jan 18, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment