`http.OutgoingMessage` tried to send the first chunk together
with the headers by concatenating them together as a string, but the
list of encodings for which that works was incorrect.
Change it from a blacklist to a whitelist.
Fixes: https://github.com/nodejs/node/issues/11788
PR-URL: https://github.com/nodejs/node/pull/12747
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
This commit enables automatic concatenation of multiple Cookie header
values with a semicolon, except when 2D header arrays are used.
Fixes: https://github.com/nodejs/node/issues/11256
PR-URL: https://github.com/nodejs/node/pull/11259
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/10941
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/10941
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/10941
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/10805
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Assigns a static identifier code to all runtime and documentation
only deprecations. The identifier code is included in the emitted
DeprecationWarning.
Also adds a deprecations.md to the API docs to provide a central
location where deprecation codes can be referenced and explained.
PR-URL: https://github.com/nodejs/node/pull/10116
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Michal Zasso <targos@protonmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/10558
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
PR-URL: https://github.com/nodejs/node/pull/10558
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
This commit implements two optimizations when working with headers:
* Avoid having to explicitly "render" headers and separately store the
original casing for header names.
* Match special header names using a single regular expression instead
of testing one regular expression per header name.
PR-URL: https://github.com/nodejs/node/pull/10558
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
PR-URL: https://github.com/nodejs/node/pull/10664
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit uses instanceof instead of Array.isArray() for faster
type checking and avoids calling Object.keys() when the headers are
stored as a 2D array instead of a plain object.
PR-URL: https://github.com/nodejs/node/pull/6533
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Since at least V8 5.4, using function.bind() is now fast enough to
use to avoid recompiling/reoptimizing the same anonymous functions.
These changes especially impact http servers.
PR-URL: https://github.com/nodejs/node/pull/6533
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
This makes it easier to see what header has an invalid value.
PR-URL: https://github.com/nodejs/node/pull/9195
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
checkIsHttpToken() already checks for typeof string. We do not
want to check twice.
PR-URL: https://github.com/nodejs/node/pull/7985
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/7949
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Take advantage of arrow function lexical `this` to avoid defining a
`self = this` var which was only used once.
Code relating to the `finish` event was split in to two areas of the
parent function. Gathered it together to clarify association within the
script.
Fixes: https://github.com/nodejs/node/issues/7295
PR-URL: https://github.com/nodejs/node/pull/7378
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
When node began using the OneByte API (f150d56) it also switched to
officially supporting ISO-8859-1. Though at the time no new encoding
string was introduced.
Introduce the new encoding string 'latin1' to be more explicit. The
previous 'binary' and documented as an alias to 'latin1'. While many
tests have switched to use 'latin1', there are still plenty that do both
'binary' and 'latin1' checks side-by-side to ensure there is no
regression.
PR-URL: https://github.com/nodejs/node/pull/7111
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Prevent misleading error messages when trailers are invalid.
PR-URL: https://github.com/nodejs/node/pull/6308
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Brian White <mscdex@mscdex.net>
Several changes:
* Soft-Deprecate Buffer() constructors
* Add `Buffer.from()`, `Buffer.alloc()`, and `Buffer.allocUnsafe()`
* Add `--zero-fill-buffers` command line option
* Add byteOffset and length to `new Buffer(arrayBuffer)` constructor
* buffer.fill('') previously had no effect, now zero-fills
* Update the docs
PR-URL: https://github.com/nodejs/node/pull/4682
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
The value passed to `process.nextTick()` which is passed to the
callback is already a valid object, so the conditional will always
evaluate to true.
PR-URL: https://github.com/nodejs/node/pull/5233
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
This just removes an assignment to `ret` of a value that's not used before
it's overwritten. Immediately following the assigment is an `if/else` in
which both branches assign to `ret` without using it.
PR-URL: https://github.com/nodejs/node/pull/4323
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit fixes some error messages that are not consistent with
some general rules which most of the error messages follow.
PR-URL: https://github.com/nodejs/node/pull/3374
Reviewed-By: Roman Reiss <me@silverwind.io>
- This check is already covered in EventEmitter#addListener()
Refs: https://github.com/nodejs/node/pull/3618
PR-URL: https://github.com/nodejs/node/pull/3631
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
This is a two-part fix:
- Fix pending data notification in `OutgoingMessage` to notify server
about flushed data too
- Fix pause/resume behavior for the consumed socket. `resume` event is
emitted on a next tick, and `socket._paused` can already be `true` at
this time. Pause the socket again to avoid PAUSED error on parser.
Fix: https://github.com/nodejs/node/issues/3332
PR-URL: https://github.com/nodejs/node/pull/3342
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Make sure that the pipelined response data will be written as less TCP
packets as possible.
PR-URL: https://github.com/nodejs/node/pull/3172
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
We were checking that the callback existed, but not
checking that it was a function. In `setTimeout`, if
callback is truthy but not a function, throw a
TypeError
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/3090
Account pending response data to decide whether pause the socket or
not. Writable stream state is a not reliable measure, because it just
says how much data is pending on a **current** request, thus not helping
much with problem we are trying to solve here.
PR-URL: https://github.com/nodejs/node/pull/3128
Ref: https://github.com/nodejs/node-convergence-archive/issues/13
This adds a new check for header and trailer fields names and method
names to ensure that they conform to the HTTP token rule. If they do
not, a `TypeError` is thrown.
Previously this had an additional `strictMode` option that has been
removed in favor of making the strict check the default (and only)
behavior.
Doc and test case are included.
On the client-side
```javascript
var http = require('http');
var url = require('url');
var p = url.parse('http://localhost:8888');
p.headers = {'testing 123': 123};
http.client(p, function(res) { }); // throws
```
On the server-side
```javascript
var http = require('http');
var server = http.createServer(function(req,res) {
res.setHeader('testing 123', 123); // throws
res.end('...');
});
```
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Trevor Norris <trevnorris@nodejs.org>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
PR-URL: https://github.com/nodejs/node/pull/2526
Commit 3c293ba ("http: protect against response splitting attacks")
filters out newline characters from HTTP headers but forgot to apply
the same logic to trailing HTTP headers, i.e., headers that come after
the response body. This commit rectifies that.
The expected security impact is low because approximately no one uses
trailing headers. Some HTTP clients can't even parse them.
PR-URL: https://github.com/nodejs/node/pull/2945
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Rod Vagg <r@va.gg>
Changes included in this commit are
1. Making the deprecation messages consistent. The messages will be in
the following format
x is deprecated. Use y instead.
If there is no alternative for `x`, then the ` Use y instead.` part
will not be there in the message.
2. All the internal deprecation messages are printed with the prefix
`(node) `, except when the `--trace-deprecation` flag is set.
Fixes: https://github.com/nodejs/io.js/issues/1883
PR-URL: https://github.com/nodejs/io.js/pull/1892
Reviewed-By: Roman Reiss <me@silverwind.io>