Ref: https://github.com/nodejs/node-convergence-archive/issues/13
This adds a new check for header and trailer fields names and method
names to ensure that they conform to the HTTP token rule. If they do
not, a `TypeError` is thrown.
Previously this had an additional `strictMode` option that has been
removed in favor of making the strict check the default (and only)
behavior.
Doc and test case are included.
On the client-side
```javascript
var http = require('http');
var url = require('url');
var p = url.parse('http://localhost:8888');
p.headers = {'testing 123': 123};
http.client(p, function(res) { }); // throws
```
On the server-side
```javascript
var http = require('http');
var server = http.createServer(function(req,res) {
res.setHeader('testing 123', 123); // throws
res.end('...');
});
```
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Trevor Norris <trevnorris@nodejs.org>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
PR-URL: https://github.com/nodejs/node/pull/2526
Commit 3c293ba ("http: protect against response splitting attacks")
filters out newline characters from HTTP headers but forgot to apply
the same logic to trailing HTTP headers, i.e., headers that come after
the response body. This commit rectifies that.
The expected security impact is low because approximately no one uses
trailing headers. Some HTTP clients can't even parse them.
PR-URL: https://github.com/nodejs/node/pull/2945
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Rod Vagg <r@va.gg>
Changes included in this commit are
1. Making the deprecation messages consistent. The messages will be in
the following format
x is deprecated. Use y instead.
If there is no alternative for `x`, then the ` Use y instead.` part
will not be there in the message.
2. All the internal deprecation messages are printed with the prefix
`(node) `, except when the `--trace-deprecation` flag is set.
Fixes: https://github.com/nodejs/io.js/issues/1883
PR-URL: https://github.com/nodejs/io.js/pull/1892
Reviewed-By: Roman Reiss <me@silverwind.io>
Modifies the setTimeout methods for the following prototypes:
- http.ClientRequest
- http.IncomingMessage
- http.OutgoingMessage
- http.Server
- https.Server
- net.Socket
- tls.TLSSocket
Previously, the above functions returned undefined. They now return
`this`. This is useful for chaining function calls.
PR-URL: https://github.com/nodejs/io.js/pull/1699
Reviewed-By: Roman Reiss <me@silverwind.io>
This changes the behavior for http to send send a Content-Length header
instead of using chunked encoding when we know the size of the body when
sending the headers.
Fixes: https://github.com/iojs/io.js/issues/1044
PR-URL: https://github.com/iojs/io.js/pull/1062
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Brian White <mscdex@mscdex.net>
This commit does some small optimization changes on
`lib/_http_outgoing.js`. These include switching from `while` loops to
`for` loops, moving away from `util` to `typeof` checks, and removing
dead code. It also includes variable caches to avoid lookups and
generic style changes. All in all, much faster execution.
It gets an across the board increase in req/sec on the benchmarks,
from my experience about a 10% increase.
PR-URL: https://github.com/iojs/io.js/pull/605
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Nicu Micleușanu <micnic90@gmail.com>
Reviewed-By: Christian Vaagland Tellnes <christian@tellnes.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
If you set a custom http header which includes eg. the string `Date`,
then http will not automatically send the `Date` header.
This is also true for other automatic http headers.
PR-URL: https://github.com/iojs/io.js/pull/828
Reviewed-By: Brendan Ashworth <brendan.ashworth@me.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Many of the util.is*() methods used to check data types
simply compare against a single value or the result of
typeof. This commit replaces calls to these methods with
equivalent checks. This commit does not touch calls to the
more complex methods (isRegExp(), isDate(), etc.).
Fixes: https://github.com/iojs/io.js/issues/607
PR-URL: https://github.com/iojs/io.js/pull/647
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit replaces a number of var statements throughout
the lib code with const statements.
PR-URL: https://github.com/iojs/io.js/pull/541
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The copyright and license notice is already in the LICENSE file. There
is no justifiable reason to also require that it be included in every
file, since the individual files are not individually distributed except
as part of the entire package.
Turn on strict mode for the files in the lib/ directory. It helps
catch bugs and can have a positive effect on performance.
PR-URL: https://github.com/node-forward/node/pull/64
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Several fields on OutgoingMessage were set after instantiation. These
have been included in the constructor to prevent mutation of the object
map after instantiation.
"name" is now explicitly checked to be a string. Where before if a
non-string was passed the following cryptic error was thrown:
_http_outgoing.js:334
var key = name.toLowerCase();
^
TypeError: undefined is not a function
Signed-off-by: Trevor Norris <trev.norris@gmail.com>
When calling write() after end() has been called on an OutgoingMessage,
an error is emitted and the write's callback is called with an instance
of Error.
Fix#7477.
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Forcibly flushes the request headers. You need this with long-lived
HTTP connections where the first data isn't written until the connection
has been established (think: tunneling requests over HTTP CONNECT.)
Fixes#7296.
Signed-off-by: Fedor Indutny <fedor@indutny.com>
This allows automatically-inserted headers to be removed permanently by
calling OutgoingMessage.removeHeader() on them, as if they were normal
headers.
In other Writable streams, the 'finish' event means that all of the data
was written, and flushed to the underlying system.
The 'prefinish' event means that end() was called, and all of the data
was processed, but not necessarily completely flushed.
This change brings the http OutgoingMessage classes more in sync with
the other Writable classes throughout Node.
Unfortunately, this change highlights an issue with http
IncomingMessages, where the _dump() method will not actually pull the
data off the wire. This is a minor issue that is typically only
relevant in test cases, and will be addressed in the next commit.
This removes a dubious performance "optimization" where strings body
chunks were concatenated to one another (and to the headers) without any
regard for their encoding.
There was previously up to a second exit delay when exiting node
right after an http request/response, due to the utcDate() function
doing a setTimeout to update the cached date/time.
Fixing this should increase the performance of our http tests.
Forward-port the comments from commit 01e2920 (v0.10) to the master
branch. Everything else from that patch already exists in master.
It didn't merge cleanly because lib/http.js has been split up in
several files.
Fixes#3740
In the case of pipelined requests, you can have a situation where
the socket gets destroyed via one req/res object, but then trying
to destroy *another* req/res on the same socket will cause it to
call undefined.destroy(), since it was already removed from that
message.
Add a guard to OutgoingMessage.destroy and IncomingMessage.destroy
to prevent this error.