Unsanitized paths containing line feed characters can be used for
header injection and request splitting so reject them with an exception.
There seems to be no reasonable use case for allowing control characters
(characters <= 31) while there are several scenarios where they can be
used to exploit software bugs so reject control characters altogether.
PR-URL: https://github.com/nodejs/node/pull/8923
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: not-an-aardvark <not-an-aardvark@users.noreply.github.com>
This allows passing the socket connection timeout to http#request
such that it will be set before the socket is connecting
PR-URL: https://github.com/nodejs/node/pull/8101
Fixes: https://github.com/nodejs/node/issues/7580
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
When `free`ing the socket to be reused in keep-alive Agent wait for
both `prefinish` and `end` events. Otherwise the next request may be
written before the previous one has finished sending the body, leading
to a parser errors.
PR-URL: https://github.com/nodejs/node/pull/7149
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
When handling a response to `CONNECT` request - skip message body
and do not attempt to parse the next message. `CONNECT` requests are
used in similar sense to HTTP Upgrade.
Fix: https://github.com/nodejs/node/pull/6198
PR-URL: https://github.com/nodejs/node/pull/6279
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
IPv6 addresses in Host header (URI), must be enclosed within
square brackets, in order to properly separate the host address
from any port reference.
PR-URL: https://github.com/nodejs/node/pull/5314
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Several changes:
* Soft-Deprecate Buffer() constructors
* Add `Buffer.from()`, `Buffer.alloc()`, and `Buffer.allocUnsafe()`
* Add `--zero-fill-buffers` command line option
* Add byteOffset and length to `new Buffer(arrayBuffer)` constructor
* buffer.fill('') previously had no effect, now zero-fills
* Update the docs
PR-URL: https://github.com/nodejs/node/pull/4682
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Instead of leaking the arguments object by passing it as an
argument to a function, copy it's contents to a new array,
then pass the array. This allows V8 to optimize the function
that contains this code, improving performance.
PR-URL: https://github.com/nodejs/node/pull/4361
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
This commit adds support for async createConnection()
implementations and is still backwards compatible with
synchronous createConnection() implementations.
This commit also makes the http client more friendly with
generic stream objects produced by createConnection() by
checking stream.writable instead of stream.destroyed as the
latter is currently a net.Socket-ism and not set by the core
stream implementations.
PR-URL: https://github.com/nodejs/node/pull/4638
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
In lib/_http_client.js, the variable `conn` was declared with the `var`
keyword three times in the same scope. This change eliminates the
variable entirely.
PR-URL: https://github.com/nodejs/node/pull/4612
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This change adds a new event handler to the `error` event of the socket
after it has been used by the http_client.
The purpose of this change is to catch errors on *keep alived*
connections from idle sockets that otherwise will cause an uncaugh error
event on the application.
Fix: #3595
PR-URL: https://github.com/nodejs/node/pull/4482
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Some files in `lib` were using `require` to load modules that were
subsequently not used in the file. This removes those `require`
statements.
PR-URL: https://github.com/nodejs/node/pull/4396
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Do not emit `upgrade` if the server is just advertising its protocols
support as per RFC 7230 Section 6.7.
A server MAY send an Upgrade header field in any other response
to advertise that it implements support for upgrading to the
listed protocols, in order of descending preference, when
appropriate for a future request.
Fix: https://github.com/nodejs/node/issues/4334
PR-URL: https://github.com/nodejs/node/pull/4337
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit fixes some error messages that are not consistent with
some general rules which most of the error messages follow.
PR-URL: https://github.com/nodejs/node/pull/3374
Reviewed-By: Roman Reiss <me@silverwind.io>
If the URL passed to `http{s}.request` or `http{s}.get` is not properly
parsable by `url.parse`, we fall back to use `localhost` and port 80.
This creates confusing error messages like in this question
http://stackoverflow.com/q/32675907/1903116.
This patch throws an error message, if `url.parse` fails to parse the
URL properly.
Previous Discussion: https://github.com/nodejs/node/pull/2966
PR-URL: https://github.com/nodejs/node/pull/2967
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Ref: https://github.com/nodejs/node-convergence-archive/issues/13
This adds a new check for header and trailer fields names and method
names to ensure that they conform to the HTTP token rule. If they do
not, a `TypeError` is thrown.
Previously this had an additional `strictMode` option that has been
removed in favor of making the strict check the default (and only)
behavior.
Doc and test case are included.
On the client-side
```javascript
var http = require('http');
var url = require('url');
var p = url.parse('http://localhost:8888');
p.headers = {'testing 123': 123};
http.client(p, function(res) { }); // throws
```
On the server-side
```javascript
var http = require('http');
var server = http.createServer(function(req,res) {
res.setHeader('testing 123', 123); // throws
res.end('...');
});
```
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Trevor Norris <trevnorris@nodejs.org>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
PR-URL: https://github.com/nodejs/node/pull/2526
The `events` module already exports `EventEmitter` constructor function
So, we don't have to use `events.EventEmitter` to access it.
Refer: https://github.com/nodejs/node/pull/2896
PR-URL: https://github.com/nodejs/node/pull/2921
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Logic for calling the passed in socket method and/or callback
was duplicated. This commit refactors the relevant code to
remove the redundancy.
PR-URL: https://github.com/nodejs/node/pull/2769
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Brendan Ashworth <brendan.ashworth@me.com>
As per the discussion in #734, this patch deprecates the usage of
`EventEmitter.listenerCount` static function in the docs, and introduces
the `listenerCount` function in the prototype of `EventEmitter` itself.
PR-URL: https://github.com/nodejs/node/pull/2349
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Modifies the setTimeout methods for the following prototypes:
- http.ClientRequest
- http.IncomingMessage
- http.OutgoingMessage
- http.Server
- https.Server
- net.Socket
- tls.TLSSocket
Previously, the above functions returned undefined. They now return
`this`. This is useful for chaining function calls.
PR-URL: https://github.com/nodejs/io.js/pull/1699
Reviewed-By: Roman Reiss <me@silverwind.io>
This reverts commit 3fd7fc429c.
It was agreed that this change contained too much potential ecosystem
breakage, particularly around the inability to `delete` properties off a
`Url` object. It may be re-introduced for a later release, along with
better work on ecosystem compatibility.
PR-URL: https://github.com/iojs/io.js/pull/1602
Reviewed-By: Mikeal Rogers <mikeal.rogers@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Forrest L Norvell <forrest@npmjs.com>
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Reviewed-By: Isaac Z. Schlueter <i@izs.me>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
This reverts commit 06cfff9350.
Reverted because it introduced a regression where (because options were
modified in the later functionality) options.host and options.port would
be overridden with values provided in other, supported ways.
PR-URL: https://github.com/iojs/io.js/pull/1467
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Read all pending data out of the socket on `error` event and ensure that
no `data`/`end` handlers will be invoked on `socket.destroy()`.
Otherwise following assertion happens:
AssertionError: null == true
at TLSSocket.socketOnData (_http_client.js:308:3)
at TLSSocket.emit (events.js:107:17)
at TLSSocket.Readable.read (_stream_readable.js:373:10)
at TLSSocket.socketCloseListener (_http_client.js:229:10)
at TLSSocket.emit (events.js:129:20)
at TCP.close (net.js:476:12)
Fix: https://github.com/joyent/node/issues/9348
PR-URL: https://github.com/iojs/io.js/pull/1103
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Nicu Micleușanu <micnic90@gmail.com>
This commit adds the ability to enable userspace tracing with lttng
in io.js. It adds tracepoints for all the equivalent dtrace and ETW
tracepoints. To use these tracepoints enable --with-lttng on linux.
PR-URL: https://github.com/iojs/io.js/pull/702
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ryan Graham <ryan@strongloop.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Many of the util.is*() methods used to check data types
simply compare against a single value or the result of
typeof. This commit replaces calls to these methods with
equivalent checks. This commit does not touch calls to the
more complex methods (isRegExp(), isDate(), etc.).
Fixes: https://github.com/iojs/io.js/issues/607
PR-URL: https://github.com/iojs/io.js/pull/647
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit replaces a number of var statements throughout
the lib code with const statements.
PR-URL: https://github.com/iojs/io.js/pull/541
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The copyright and license notice is already in the LICENSE file. There
is no justifiable reason to also require that it be included in every
file, since the individual files are not individually distributed except
as part of the entire package.
Turn on strict mode for the files in the lib/ directory. It helps
catch bugs and can have a positive effect on performance.
PR-URL: https://github.com/node-forward/node/pull/64
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Make it a little harder to slip in use-after-free bugs by nulling out
references to the parser object after handing it off to freeParser().
Reviewed-by: Trevor Norris <trev.norris@gmail.com>
Avoid sending unsent data and destroying otherwise legitimate sockets
for requests that are aborted while still in the agent queue. This
reduces stress on upstream systems who will likely respond to the
request but client app already knows that it will be dropped on the
floor and also helps avoid killing keep-alive connections.
Include the "expected protocol" in the Error message
string, which evaluates to "http:" for the `http`
core module, and "https:" for the `https` module.
Closes#7355.
Default to the `defaultAgent.protocol` when comparing the
user-specified `options.protocol` string. This is so that
`http.Agent` instances do not need to specify their own
`protocol` field, since we have the relevant information
already from the `defaultAgent`.
Note that the test case could be separately cherry-picked
to the `v0.10` branch, since it already passes correctly.
Fixes#7349.
Fixes the regression described in: http://git.io/2ds-WQ
For the `request()` and `get()` functions. I could never
really understand why these two functions go through agent
first... Especially since the user could be passing `agent: false`
or a different Agent instance completely, in which `globalAgent`
will be completely bypassed.
Moved the relevant logic from `Agent#request()` into the
`ClientRequest` constructor.
Incidentally, this commit fixes#7012 (which was the original
intent of this commit).
This is a slightly modified revert of bc39bdd.
Getting domains to use AsyncListeners became too much of a challenge
with many edge cases. While this is still a goal, it will have to be
deferred for now until more test coverage can be provided.
HTTP Parser instance was freed twice, leading to the reusal of it
in several different requests simultaneously.
The flow:
`socketCloseListener` is firing, which calls `socket.read()` to flush
any queued data, `socket.buffer` has data which emits and fires
`socketOnData` in sync, this triggers a parser error which frees the
parser, `socketCloseListener` resumes execution only to have the wrong
parser associated with the socket.
The fix is to only cache the parser after the flushing from the socket,
and to assert in `socketOnData` that `socket === parser.socket`
fix#6451
The domain module has been switched over to use the domain module API as
much as currently possible. There are still some hooks in the
EventEmitter, but hopefully we can remove those in the future.
When the socket closes, the client's http incoming message object was
emitting an 'aborted' event if it had not yet been ended.
However, it's possible, when a response is being repeatedly paused and
resumed (eg, if piped to a slow FS write stream), that there will be a
final chunk remaining in the js-land buffer when the socket is torn
down.
When that happens, the socketCloseListener function detects that we have
not yet reached the end of the response message data, and treats this as
an abrupt abort, immediately (and forcibly) ending the incoming message
data stream, and discarding that final chunk of data.
The result is that, for example, npm will have problems because tarballs
are missing a few bytes off the end, every time.
Closes GH-6402