New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cli: add --max-http-header-size flag #24811

Merged
merged 3 commits into from Dec 20, 2018

Conversation

@cjihrig
Copy link
Contributor

cjihrig commented Dec 3, 2018

Allow the maximum size of HTTP headers to be overridden from the command line.

Refs: nodejs/http-parser#453
Fixes: #24692

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines
@mcollina

This comment has been minimized.

Copy link
Member

mcollina commented Dec 3, 2018

Is there a matching PR for http-parser?

@cjihrig do you see this as an alternative to #24716?

@mcollina

This comment has been minimized.

Copy link
Member

mcollina commented Dec 3, 2018

I think we should expose that value as a read-only property under http.

@cjihrig

This comment has been minimized.

Copy link
Contributor

cjihrig commented Dec 3, 2018

Is there a matching PR for http-parser?

Yes, nodejs/http-parser#453

do you see this as an alternative to #24716?

Not strictly an alternative. See #24716 (comment) for my feelings on having both.

Show resolved Hide resolved src/node_http_parser.cc Outdated
@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Dec 3, 2018

Probably an obvious suggestion, but perhaps you can reuse the existing tests if they are made slightly context aware wrt. the size setting, then wrap them in one that specifies a node option, like https://github.com/nodejs/node/blob/master/test/parallel/test-tls-cli-min-version-1.0.js

Show resolved Hide resolved doc/api/cli.md Outdated
Show resolved Hide resolved src/node_options.h Outdated

mcollina referenced this pull request Dec 4, 2018

deps,http: http_parser set max header size to 8KB
CVE-2018-12121

PR-URL: nodejs-private/node-private#143
Ref: nodejs-private/security#139
Ref: nodejs-private/http-parser-private#2
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
@mcollina
Copy link
Member

mcollina left a comment

LGTM

@dglozic

This comment has been minimized.

Copy link

dglozic commented Dec 4, 2018

Can this be back-ported to Node 8 LTS? As of v8.14.0, people blessed with domains with a lot of cookies are broken without this option, effectively preventing them from consuming any more LTS fixes (and 8.14.0 contains a security fix as well).

@cjihrig cjihrig force-pushed the cjihrig:max-headers-size branch 3 times, most recently from d4a3a0a to 3275c64 Dec 5, 2018

@cjihrig

This comment has been minimized.

Copy link
Contributor

cjihrig commented Dec 5, 2018

I think I've addressed all the nits.

@mcollina, you signed off on this, but did you still want this added to the HTTP API?

@mcollina

This comment has been minimized.

Copy link
Member

mcollina commented Dec 5, 2018

It would be better but it can come later if somebody needs it.

@cjihrig cjihrig referenced this pull request Dec 6, 2018

Merged

http: add maxHeaderSize property #24860

4 of 4 tasks complete

@cjihrig cjihrig force-pushed the cjihrig:max-headers-size branch from 3275c64 to 67e5595 Dec 6, 2018

@cjihrig

This comment has been minimized.

Copy link
Contributor

cjihrig commented Dec 6, 2018

It would be better but it can come later if somebody needs it.

Opened #24860 to discuss separately.

@mcollina

This comment has been minimized.

@mcollina

This comment has been minimized.

Copy link
Member

mcollina commented Dec 10, 2018

@cjihrig what's the status of this?

MylesBorins added a commit that referenced this pull request Dec 25, 2018

2018-12-26, Version 11.6.0 (Current)
This is a special release to add a CLI flag to set the max http header size.
This should have been included in the 11.3.0 security release.

Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811

PR-URL: #25175

MylesBorins added a commit that referenced this pull request Dec 25, 2018

2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    #24234
  - add key object API (Tobias Nießen) [#24234](#24234)
  - update root certificates (Sam Roberts)
    #25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    #25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    #24734
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25175

MylesBorins added a commit that referenced this pull request Dec 26, 2018

2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    #24234
  - add key object API (Tobias Nießen) [#24234](#24234)
  - update root certificates (Sam Roberts)
    #25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    #25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    #24734
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25175

MylesBorins added a commit that referenced this pull request Dec 26, 2018

2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    #24234
  - add key object API (Tobias Nießen) [#24234](#24234)
  - update root certificates (Sam Roberts)
    #25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    #25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    #24734
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25175

MylesBorins added a commit that referenced this pull request Dec 26, 2018

2018-12-26, Version 6.16.0 'Boron' (LTS)
The 6.15.0 security release introduced some unexpected breakages on
the 6.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25178

MylesBorins added a commit that referenced this pull request Dec 26, 2018

2018-12-26, Version 8.15.0 'Carbon' (LTS)
The 8.14.0 security release introduced some unexpected breakages on
the 8.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25177

MylesBorins added a commit that referenced this pull request Dec 26, 2018

2018-12-26, Version 10.15.0 'Dubnium' (LTS)
The 10.14.0 security release introduced some unexpected breakages on
the 10.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25176

MylesBorins added a commit that referenced this pull request Dec 26, 2018

2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    #24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    #24234
  - add key object API (Tobias Nießen) [#24234](#24234)
  - update root certificates (Sam Roberts)
    #25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    #25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    #24734
* http:
  - add maxHeaderSize property (cjihrig)
    #24860

PR-URL: #25175

hyj1991 added a commit to aliyun-node/bug-versions that referenced this pull request Jan 8, 2019

hyj1991 added a commit to aliyun-node/bug-versions that referenced this pull request Jan 8, 2019

hyj1991 added a commit to aliyun-node/bug-versions that referenced this pull request Jan 8, 2019

fengmk2 added a commit to cnpm/bug-versions that referenced this pull request Jan 8, 2019

@lxe

This comment has been minimized.

Copy link
Contributor

lxe commented Jan 10, 2019

Thanks for this!

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

deps: cherry-pick http_parser_set_max_header_size
This commit adds http_parser_set_max_header_size() to the
http-parser for overriding the compile time maximum HTTP
header size.

PR-URL: nodejs#24811
Fixes: nodejs#24692
Refs: nodejs/http-parser#453
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

src: add kUInteger parsing
This commit adds support for uint64_t option parsing.

PR-URL: nodejs#24811
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

cli: add --max-http-header-size flag
Allow the maximum size of HTTP headers to be overridden from
the command line.

co-authored-by: Matteo Collina <hello@matteocollina.com>
PR-URL: nodejs#24811
Fixes: nodejs#24692
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

2018-12-26, Version 6.16.0 'Boron' (LTS)
The 6.15.0 security release introduced some unexpected breakages on
the 6.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    nodejs#24811
* http:
  - add maxHeaderSize property (cjihrig)
    nodejs#24860

PR-URL: nodejs#25178

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

2018-12-26, Version 8.15.0 'Carbon' (LTS)
The 8.14.0 security release introduced some unexpected breakages on
the 8.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    nodejs#24811
* http:
  - add maxHeaderSize property (cjihrig)
    nodejs#24860

PR-URL: nodejs#25177

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

2018-12-26, Version 10.15.0 'Dubnium' (LTS)
The 10.14.0 security release introduced some unexpected breakages on
the 10.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    nodejs#24811
* http:
  - add maxHeaderSize property (cjihrig)
    nodejs#24860

PR-URL: nodejs#25176

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    nodejs#24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    nodejs#24234
  - add key object API (Tobias Nießen) [nodejs#24234](nodejs#24234)
  - update root certificates (Sam Roberts)
    nodejs#25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    nodejs#25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    nodejs#24734
* http:
  - add maxHeaderSize property (cjihrig)
    nodejs#24860

PR-URL: nodejs#25175
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment