New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http: certain response headers do not allow multiple instances #3090

Closed
wants to merge 5 commits into
base: master
from

Conversation

Projects
None yet
5 participants
@jasnell
Member

jasnell commented Sep 27, 2015

This PR does two things:

  1. Adds a quick callback check
  2. Limits certain response headers from having multiple instances

For instance, ETag does not allow for multiple instances, but the current code will concat multiple instances into a comma separated list. Likewise for Last-Updated.

@thefourtheye thefourtheye added the http label Sep 27, 2015

@thefourtheye

View changes

test/parallel/test-http-response-multiheaders.js Outdated
res.end('ok');
});
server.listen(common.PORT, function() {

This comment has been minimized.

@thefourtheye

thefourtheye Sep 27, 2015

Contributor

add common.mustCall here and in the next line.

@thefourtheye

View changes

test/parallel/test-http-response-multiheaders.js Outdated
'use strict';
const http = require('http');
const common = require('../common');

This comment has been minimized.

@thefourtheye

thefourtheye Sep 27, 2015

Contributor

common should be the first required module.

@thefourtheye

View changes

test/parallel/test-http-response-multiheaders.js Outdated
assert.equal(res.headers[name], 'A');
}
assert.equal(res.headers['x-a'], 'A, B');
server.close();

This comment has been minimized.

@thefourtheye

thefourtheye Sep 27, 2015

Contributor

Wouldn't closing the server before asserting better?

@jasnell

This comment has been minimized.

Member

jasnell commented Sep 27, 2015

@thefourtheye ... done

@bnoordhuis

View changes

lib/_http_outgoing.js Outdated
@@ -79,7 +79,7 @@ exports.OutgoingMessage = OutgoingMessage;
OutgoingMessage.prototype.setTimeout = function(msecs, callback) {
if (callback)
if (typeof callback === 'function')

This comment has been minimized.

@bnoordhuis

bnoordhuis Sep 28, 2015

Member

Maybe it should be a TypeError when typeof callback !== 'function'? This change silently ignores non-functions, which seems like a good way for bugs in user code to go unnoticed.

This comment has been minimized.

@jasnell

jasnell Oct 6, 2015

Member

Agreed. I was attempting to avoid adding a new throw but you're right, it's better to be explicit about the error here

@bnoordhuis

View changes

test/parallel/test-http-response-multiheaders.js Outdated
const server = http.createServer(function(req, res) {
for (let name of norepeat) {
res.setHeader(name, ['A', 'B']);
}

This comment has been minimized.

@bnoordhuis

bnoordhuis Sep 28, 2015

Member

Could be a little more rigorous by repeating the loop. You should perhaps also test res.writeHead() and combinations thereof.

jasnell added some commits Sep 27, 2015

http: add callback is function check
We were checking that the callback existed, but not
checking that it was a function
http: do not allow multiple instances of certain response headers
Response headers such as ETag and Last-Modified do not permit
multiple instances, and therefore the comma-separated syntax is
not allowed.
http: if callback is truthy but not a function, throw
in `setTimeout`, if callback is truthy but not a function,
throw a TypeError per @bnoordhuis' suggestion
test: expand test-http-response-multiheaders test
Include writeHead in the test per @bnoordhuis' suggestion

@jasnell jasnell force-pushed the jasnell:http-cleanups branch to 4652af7 Oct 6, 2015

@jasnell

This comment has been minimized.

Member

jasnell commented Oct 6, 2015

Rebased on current master. @bnoordhuis addressed the nits you had. PTAL.

@jasnell jasnell added the semver-major label Oct 6, 2015

@jasnell

This comment has been minimized.

Member

jasnell commented Oct 6, 2015

marked as semver-major due to the introduction of the additional throw

@thefourtheye

This comment has been minimized.

Contributor

thefourtheye commented Oct 6, 2015

LGTM

jasnell added a commit that referenced this pull request Oct 6, 2015

http: add callback is function check
We were checking that the callback existed, but not
checking that it was a function. In `setTimeout`, if
callback is truthy but not a function, throw a
TypeError

Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: #3090

jasnell added a commit that referenced this pull request Oct 6, 2015

http: do not allow multiple instances of certain response headers
Response headers such as ETag and Last-Modified do not permit
multiple instances, and therefore the comma-separated syntax is
not allowed. When multiple values for these headers are specified,
use only the first instance.

Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: #3090
@jasnell

This comment has been minimized.

Member

jasnell commented Oct 6, 2015

Landed in 0094a8d and e655a43. Thank you!

@jasnell jasnell closed this Oct 6, 2015

@Fishrock123

This comment has been minimized.

Member

Fishrock123 commented Oct 7, 2015

I'm not sure this major change had sufficient TSC review?

@rvagg

This comment has been minimized.

Member

rvagg commented Oct 7, 2015

I'm fine with this given it's just building on logic already there. /cc @nodejs/tsc anyway

@rvagg rvagg referenced this pull request Oct 27, 2015

Merged

Release proposal: v5.0.0 #3466

rvagg added a commit to rvagg/io.js that referenced this pull request Oct 29, 2015

2015-10-29, Version 5.0.0 (Stable)
Notable changes:

* buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer,
  these have been deprecated for a long time (Sakthipriyan Vairamani) nodejs#2859.
* console: (Breaking) Values reported by console.time() now have 3 decimals of
  accuracy added (Michaël Zasso) nodejs#3166.
* fs:
  - fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file
    descriptor as their first argument (Johannes Wüller) nodejs#3163.
  - (Breaking) In fs.readFile(), if an encoding is specified and the internal
    toString() fails the error is no longer thrown but is passed to the callback
    (Evan Lucas) nodejs#3485.
  - (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding,
    callback) form), if the internal toString() fails the error is no longer
    thrown but is passed to the callback (Evan Lucas) nodejs#3503.
* http:
  - Fixed a bug where pipelined http requests would stall (Fedor Indutny) nodejs#3342.
  - (Breaking) When parsing HTTP, don't add duplicates of the following headers:
    Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition
    to the following headers which already block duplicates: Content-Type,
    Content-Length, User-Agent, Referer, Host, Authorization,
    Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location,
    Max-Forwards (James M Snell) nodejs#3090.
  - (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a
    function or a TypeError is thrown (James M Snell) nodejs#3090.
  - (Breaking) HTTP methods and header names must now conform to the RFC 2616
    "token" rule, a list of allowed characters that excludes control characters
    and a number of separator characters. Specifically, methods and header names
    must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown
    (James M Snell) nodejs#2526.
* node:
  - (Breaking) Deprecated the _linklist module (Rich Trott) nodejs#3078.
  - (Breaking) Removed require.paths and require.registerExtension(), both had
    been previously set to throw Error when accessed
    (Sakthipriyan Vairamani) nodejs#2922.
* npm: Upgraded to version 3.3.6 from 2.14.7, see
  https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a
  major version bump for npm and it has seen a significant amount of change.
  Please see the original npm v3.0.0 release notes for a list of major changes
  (Rebecca Turner) nodejs#3310.
* src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary
  due to the V8 upgrade. Native add-ons will need to be recompiled
  (Rod Vagg) nodejs#3400.
* timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes
  a long-standing known issue where unrefed timers would perviously hold
  beforeExit open (Fedor Indutny) nodejs#3407.
* tls:
  - Added ALPN Support (Shigeki Ohtsu) nodejs#2564.
  - TLS options can now be passed in an object to createSecurePair()
    (Коренберг Марк) nodejs#2441.
  - (Breaking) The default minimum DH key size for tls.connect() is now 1024
    bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS
    option can be used to override the default. (Shigeki Ohtsu) nodejs#1831.
* util:
  - (Breaking) util.p() was deprecated for years, and has now been removed
    (Wyatt Preul) nodejs#3432.
  - (Breaking) util.inherits() can now work with ES6 classes. This is considered
    a breaking change because of potential subtle side-effects caused by a
    change from directly reassigning the prototype of the constructor using
    `ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })`
    to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)`
    (Michaël Zasso) nodejs#3455.
* v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) nodejs#3351.
  - Implements the spread operator, see
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator
    for further information.
  - Implements new.target, see
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target
    for further information.
* zlib: Decompression now throws on truncated input (e.g. unexpected end of
  file) (Yuval Brik) nodejs#2595.

PR-URL: nodejs#3466

rvagg added a commit that referenced this pull request Oct 29, 2015

2015-10-29, Version 5.0.0 (Stable)
Notable changes:

* buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer,
  these have been deprecated for a long time (Sakthipriyan Vairamani) #2859.
* console: (Breaking) Values reported by console.time() now have 3 decimals of
  accuracy added (Michaël Zasso) #3166.
* fs:
  - fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file
    descriptor as their first argument (Johannes Wüller) #3163.
  - (Breaking) In fs.readFile(), if an encoding is specified and the internal
    toString() fails the error is no longer thrown but is passed to the callback
    (Evan Lucas) #3485.
  - (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding,
    callback) form), if the internal toString() fails the error is no longer
    thrown but is passed to the callback (Evan Lucas) #3503.
* http:
  - Fixed a bug where pipelined http requests would stall (Fedor Indutny) #3342.
  - (Breaking) When parsing HTTP, don't add duplicates of the following headers:
    Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition
    to the following headers which already block duplicates: Content-Type,
    Content-Length, User-Agent, Referer, Host, Authorization,
    Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location,
    Max-Forwards (James M Snell) #3090.
  - (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a
    function or a TypeError is thrown (James M Snell) #3090.
  - (Breaking) HTTP methods and header names must now conform to the RFC 2616
    "token" rule, a list of allowed characters that excludes control characters
    and a number of separator characters. Specifically, methods and header names
    must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown
    (James M Snell) #2526.
* node:
  - (Breaking) Deprecated the _linklist module (Rich Trott) #3078.
  - (Breaking) Removed require.paths and require.registerExtension(), both had
    been previously set to throw Error when accessed
    (Sakthipriyan Vairamani) #2922.
* npm: Upgraded to version 3.3.6 from 2.14.7, see
  https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a
  major version bump for npm and it has seen a significant amount of change.
  Please see the original npm v3.0.0 release notes for a list of major changes
  (Rebecca Turner) #3310.
* src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary
  due to the V8 upgrade. Native add-ons will need to be recompiled
  (Rod Vagg) #3400.
* timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes
  a long-standing known issue where unrefed timers would perviously hold
  beforeExit open (Fedor Indutny) #3407.
* tls:
  - Added ALPN Support (Shigeki Ohtsu) #2564.
  - TLS options can now be passed in an object to createSecurePair()
    (Коренберг Марк) #2441.
  - (Breaking) The default minimum DH key size for tls.connect() is now 1024
    bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS
    option can be used to override the default. (Shigeki Ohtsu) #1831.
* util:
  - (Breaking) util.p() was deprecated for years, and has now been removed
    (Wyatt Preul) #3432.
  - (Breaking) util.inherits() can now work with ES6 classes. This is considered
    a breaking change because of potential subtle side-effects caused by a
    change from directly reassigning the prototype of the constructor using
    `ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })`
    to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)`
    (Michaël Zasso) #3455.
* v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) #3351.
  - Implements the spread operator, see
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator
    for further information.
  - Implements new.target, see
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target
    for further information.
* zlib: Decompression now throws on truncated input (e.g. unexpected end of
  file) (Yuval Brik) #2595.

PR-URL: #3466
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment