Security Update
Notable items:
* http: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against a Node.js TLS server using
DHE key exchange. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
(Shigeki Ohtsu) #4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
in out-of-bounds reads for arrays. (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/12
This just replaces all sources of openssl-1.0.2e.tar.gz into
deps/openssl/openssl
deps: copy all openssl header files to include dir
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
deps: fix openssl assembly error on ia32 win32
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .
deps: fix asm build error of openssl in x86_win32
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html
node needs to stop using masm and move to nasm or yasm on Win32.
openssl: fix keypress requirement in apps on win32
Reapply b910613792 .
deps: add -no_rand_screen to openssl s_client
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
deps: update openssl config files
Regenrate config files for supported platforms with Makefile.
deps: update openssl asm and asm_obsolete files
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where
gcc-4.8.4. Also asm files in asm_obsolete dir to support old compiler
and assmebler are regenerated without CC and ASM envs.
PR-URL: https://github.com/nodejs/node/pull/4134
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Move ENOENT related tests out of general fs.watch() test file and into
its own file. This may help diagnose
https://github.com/nodejs/node/issues/3541.
PR-URL: https://github.com/nodejs/node/pull/3548
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
This adds an example of a semi-common promise pattern that could
result in false-positive 'unhandledRejection' events, to help motivate
why there is a dual 'rejectionHandled' event. I anticipate it being
helpful to users who encounter 'unhandledRejection' events that do not
stem from obvious typos such as the JSON.pasre example.
Also cleans up the promise rejection tracking sample. By using a Map
instead of array we can get O(1) deletion and actually record the errors.
And, fixed indentation and backtick usage there to align with the rest of
the document.
Reviewed-By: Stephan Belanger <admin@stephenbelanger.com>
Reviewed-By: Petka Antonov <petka.antonov@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/3438
When v8 implemented proper one-byte string support Node's internal
"binary" encoding implementation was removed in favor of it. The result
was that "binary" encoding effectively became "latin-1" encoding.
Because of this and because one-byte strings are natively supported by
v8 the buffer encoding is not deprecated and will not be removed.
Ref: 83261e7 "deps: update v8 to 3.17.13"
PR-URL: https://github.com/nodejs/node/pull/3441
Reviewed-By: Ben Noordhuis <ben@strongloop.com>
Tests normally use common.PORT to allow the user to select which port
number to listen on. Hardcoding the port number will cause parallel
instances of the test to fail.
PR-URL: https://github.com/nodejs/node/pull/3557
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Fix the following error message in windows using VS 2013:
LINK : fatal error LNK1194: cannot delay-load 'node.exe'
due to import of data symbol '"__declspec(dllimport)
const v8::OutputStream::`vftable'"
(__imp_??_7OutputStream@v8@@6B@)'; link without
/DELAYLOAD:node.exe
PR-URL: https://github.com/nodejs/node/pull/3572
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This is to ensure that it is evaluated the same way it would be if it
were to be run by node or required.
Before, the following would pass if run by node, but fail if run via
the syntax check flag:
if (true) {
return;
}
Now, this will pass the syntax check
PR-URL: https://github.com/nodejs/node/pull/3587
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Check that `node --debug-brk -e 0` immediately quits.
PR-URL: https://github.com/nodejs/node/pull/3585
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is a reland of https://github.com/nodejs/node/pull/3165. The patch abates
the truncation of script filenames in the perf-event output produced by V8.
V8 commits:
Original: 03ef3cd004
Reland: 010897c16a
Original commit message:
improve perf_basic_prof filename reporting
The buffer used for appending filenames to the string printed to the
perf_basic_prof log was unnecessarily too small. Bump it up to be at least
kUtf8BufferSize.
Truncation of filenames makes it really hard to work with profiles gathered on
Node.js. Because of the way Node.js works, you can have node module dependencies
in deeply nested directories. The last thing you want when investigating a
performance problem is to have script names be truncated.
This patch is a stop-gap. Ideally, I want no truncation of the filename at all
and use a dynamically growing buffer. That would be a larger change, and I
wanted to have a quick fix available that can be back-ported to Node.js LTS
release.
R=yangguo@chromium.org,yurys@chromium.org
BUG=
Review URL: https://codereview.chromium.org/1388543002
PR-URL: https://github.com/nodejs/node/pull/3520
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Before this commit, sending a SIGUSR1 at program exit could trigger a
hard to reproduce race condition where `v8::Debug::DebugBreak(isolate)`
got called when the isolate was in the process of being torn down.
A similar race condition is in theory possible when sending signals
to two threads simultaneously but I haven't been able to reproduce
that myself (and I tried, oh how I tried.)
This commit fixes the race condition by turning `node_isolate` into
a `std::atomic` and using it as an ad hoc synchronization primitive
in places where that is necessary.
A bare minimum std::atomic polyfill is added for OS X because Apple
wouldn't be Apple if things just worked out of the box.
PR-URL: https://github.com/nodejs/node/pull/3528
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
As it is, the comments are not handled properly in REPL. So, if the
comments have `'` or `"`, then they are treated as incomplete string
literals and the error is thrown in REPL.
This patch refactors the existing logic and groups everything in a
class.
Fixes: https://github.com/nodejs/node/issues/3421
PR-URL: https://github.com/nodejs/node/pull/3515
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Instead of creating new timer - reuse the timer from the freelist. This
won't make the freelist timer active for the duration of `uv_close()`,
and will let the event-loop exit properly.
Fix: #1264
PR-URL: https://github.com/nodejs/node/pull/3407
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
f2a45caf2e contained a test for a
regression that had been introduced by the original change that
77a10ed05f ported. While
77a10ed05f did not contain that
regression, the test that f2a45caf2e
contained should still be in the code base to prevent any regression
from happening in the future.
Original message for the commit that contained the test:
domains: fix stack clearing after error handled
caeb67735b introduced a regression where
the domains stack would not be cleared after an error had been handled
by the top-level domain.
This change clears the domains stack regardless of the position of the
active domain in the stack.
PR: #9364
PR-URL: https://github.com/joyent/node/pull/9364
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
PR: #3356
PR-URL: https://github.com/nodejs/node/pull/3356
Reviewed-By: Ben Noordhuis <ben@strongloop.com>
util is loaded just for one use of util.format(). Replace it with a
string template. While we're at it, delete nearby lengthy comment
justifying use of fs.readFileSync().
PR-URL: https://github.com/nodejs/node/pull/3324
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed By: Evan Lucas <evanlucas@me.com>
The Pi 1's in CI don't always fail on the buffer.toString() tests. But
they time out sometimes, so let's split the tests up so they don't.
PR-URL: https://github.com/nodejs/node/pull/3323
Reviewed By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed By: Trevor Norris <trev.norris@gmail.com>
Fixes a persistently troublesome failing test by splitting it
out into multiple parallel tests.
Reviewed By: Evan Lucas <evanlucas@me.com>
Reviewed By: Trevor Norris <trev.norris@gmail.com>
Reviewed By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/3287
common.Error() is just util.isError() which is deprecated. Use
assert.throws() instead.
PR-URL: https://github.com/nodejs/node/pull/3084
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Original commit message:
[heap] fix crash during the scavenge of ArrayBuffer
Scavenger should not attempt to visit ArrayBuffer's storage, it is a
user-supplied pointer that may have any alignment. Visiting it, may
result in a crash.
BUG=
R=jochen
Review URL: https://codereview.chromium.org/1406133003
Cr-Commit-Position: refs/heads/master@{#31611}
PR-URL: https://github.com/nodejs/node/pull/3549
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
inherits is used in lib and tests but its functionality itself is not
tested yet.
PR-URL: https://github.com/nodejs/node/pull/3507
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
The test sometimes fail on an assertion but no useful error message
was generated for debugging. Modify the test to generate useful
debugging message.
PR-URL: https://github.com/nodejs/node/pull/3501
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Add SIGTRAP and the corresponding exit code to the list of signals/exit
codes that are expected when running tests that throw an uncaught error
and have --abort-on-uncaught-exception enabled.
Also refactor a bit related comments so that they better reflect what's
actually happening.
Fixes#3239.
PR: #3354
PR-URL: https://github.com/nodejs/node/pull/3354
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Previously the wrong end of the history was limited on load.
PR-URL: https://github.com/nodejs/node/pull/2356
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed By: Evan Lucas <evanlucas@me.com>
- Now cleans up the history file unless told otherwise.
- Now also logs which test case failed.
- Waits for flush after repl close if necessary.
Fixes: https://github.com/nodejs/node/issues/2319
PR-URL: https://github.com/nodejs/node/pull/2356
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed By: Evan Lucas <evanlucas@me.com>
The existing test never ran because typeof Symbol === 'function' and not
'symbol'. We have Symbols now so remove the check and just run the test.
PR-URL: https://github.com/nodejs/node/pull/3327
Reviewed-By: James M Snell <jasnell@gmail.com>
malloc(0) and realloc(ptr, 0) have implementation-defined behavior in
that the standard allows them to either return a unique pointer or a
nullptr for zero-sized allocation requests. Normalize by always using
a nullptr.
Fixes: https://github.com/nodejs/node/issues/3496
PR-URL: https://github.com/nodejs/node/pull/3499
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
This test is already partially disabled for several platforms with
the comment that the required info is not provided at the C++ level.
I'm adding AIX as and PPC BE linux as they currently fall into
the same category. We are working to see if we can change that
in v8 but it will be non-trivial if is possible at all so I don't
want to leave the CI with failing tests until that point.
PR-URL: https://github.com/nodejs/node/pull/3491
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
test-child-process-fork-regr-gh-2847 could fail depending
on timing and how messages were packed into tcp packets.
If all of the requests fit into one packet then the test
worked otherwise, otherwise errors could occur. This PR
modifies the test to be tolerant while still validating that
some of the connection can be made succesfully
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/3459
Fixed an intermittent issue on AIX where the 100ms timeout was reached
before the 'connection' event was fired. This resulted in a failure as
serverConnection would be undefined and the assert.equal would throw an
error. Changed the flow of the test so that the timeout is only set
after a connection has been made.
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
PR-URL: https://github.com/nodejs/node/pull/3458
Currently there are many instances where assert.fail is directly passed
to a callback for error handling. Unfortunately this will swallow the
error as it is the third argument of assert.fail that sets the message
not the first.
This commit adds a new function to test/common.js that simply wraps
assert.fail and calls it with the provided message.
Tip of the hat to @trott for pointing me in the direction of this.
PR-URL: https://github.com/nodejs/node/pull/3453
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Test should be skipped if ipv6 is unavailable on the running system.
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/3444