http: check reason chars in writeHead

Previously, the reason argument passed to ServerResponse#writeHead was not being properly validated. One could pass CRLFs which could lead to http response splitting. This commit changes the behavior to throw an error in the event any invalid characters are included in the reason. CVE-2016-5325 PR-URL: https://github.com/nodejs/node-private/pull/48 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org>
9 years ago · 3614a173d0
2 changed files with 30 additions and 0 deletions
--- a/lib/http.js
+++ b/lib/http.js
@ -1233,6 +1233,9 @@ ServerResponse.prototype.writeHead = function(statusCode) {
  if (statusCode < 100 || statusCode > 999)
    throw new RangeError('Invalid status code: ' + statusCode);

+  if (_checkInvalidHeaderChar(reasonPhrase))
+    throw new Error('Invalid character in statusMessage.');
+
  var statusLine = 'HTTP/1.1 ' + statusCode.toString() + ' ' +
                   reasonPhrase + CRLF;

--- a/test/simple/test-http-status-reason-invalid-chars.js
+++ b/test/simple/test-http-status-reason-invalid-chars.js
@ -0,0 +1,27 @@
+'use strict';
+
+var common = require('../common');
+var assert = require('assert');
+var http = require('http');
+
+var server = http.createServer(function(req, res) {
+  assert.throws(function() {
+    res.writeHead(200, 'OK\r\nContent-Type: text/html\r\n');
+  }, /Invalid character in statusMessage/);
+
+  assert.throws(function() {
+    res.writeHead(200, 'OK\u010D\u010AContent-Type: gotcha\r\n');
+  }, /Invalid character in statusMessage/);
+  res.end();
+}).listen(common.PORT, common.mustCall(function() {
+  var url = 'http://localhost:' + common.PORT;
+  var left = 1;
+  var check = common.mustCall(function(res) {
+    res.resume();
+    left--;
+    assert.notEqual(res.headers['content-type'], 'text/html');
+    assert.notEqual(res.headers['content-type'], 'gotcha');
+    if (left === 0) server.close();
+  }, 1);
+  http.get(url + '/explicit', check);
+}));