Copy client CA certs and cert store when asynchronously selecting
`SecureContext` during `SNICallback`. We already copy private key,
certificate, and certificate chain, but the client CA certs were
missing.
Fix: #2772
PR-URL: https://github.com/nodejs/node/pull/3537
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
With an indentation style of two spaces, it is not possible to indent
multiline variable declarations by four spaces. Instead, the var keyword
is used on every new line.
Use const instead of var where applicable for changed lines.
PR-URL: https://github.com/nodejs/io.js/pull/2286
Reviewed-By: Roman Reiss <me@silverwind.io>
The no-reserved-keys rule doesn't exist anymore and we don't need ES3
compatibility.
escape and unescape are now known by eslint.
--reset flag was removed and it is now the default behavior.
PR-URL: https://github.com/nodejs/io.js/pull/2286
Reviewed-By: Roman Reiss <me@silverwind.io>
On case-insensitive platorms, the Debug/ rule catches the debug module
under npm and eslint.
PR-URL: https://github.com/nodejs/node/pull/2286
Reviewed-By: Roman Reiss <me@silverwind.io>
Modify tools/license-builder.sh to restore the Third-Party Software
licenses for ICU.
Also fix arguments to tail to work on Linux.
rvagg: modified sed command for ICU to replace tabs with spaces and
remove whitespace at the end of lines
PR-URL: https://github.com/nodejs/node/pull/4762
Reviewed-By: Rod Vagg <rod@vagg.org>
It's possible there is already an existing error on OpenSSL's error
stack that is unrelated to the EVP_DigestInit_ex() operation we just
executed.
Fixes: https://github.com/nodejs/node/issues/4221
PR-URL: https://github.com/nodejs/node/pull/4731
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
The wrong commit SHAs were used
PR-URL: https://github.com/nodejs/node/pull/5165
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Rod Vagg <r@va.gg>
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Note that this release includes a non-backward compatible change to
address a security issue. This change increases the version of the LTS
v4.x line to v4.3.0. There will be *no further updates* to v4.2.x.
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.5.0 to 2.5.1
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
PR-URL: https://github.com/nodejs/node-private/pull/20
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/node/issues/1461
PR-URL: https://github.com/nodejs/node/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The `--security-revert={cvenum}` command line flag is a special purpose
flag to be used only in stable or LTS branches when a breaking change
is required to address a security vulnerability. Whenever a vulnerability
requires a breaking change, and a CVE has been assigned, the flag can
be used to force Node to revert to the insecure behavior that was
implemented before the fix was applied.
Note that this flag is intended to be used only as a last resort in the
case a security update breaks existing code. When used, a security
warning will be printed to stderr when Node launches.
The `--security-revert={cvenum}` flag takes a single CVE number as an
argument. Multiple instances of the `--security-revert={cvenum}` flag
can be used on the command line to revert multiple changes.
Whenever a new `--security-revert={cvenum}` is enabled, it should be
documented in the release notes and in the API docs.
Master and the first release of a new major (e.g. v6.0) should not have
any reverts available.
Every time a new `--security-revert={cvenum}` is added, there should be
a semver-minor bump in the stable and LTS branch.
PR-URL: https://github.com/nodejs/node-private/pull/20
Notable changes:
* Fix regression in debugger and profiler functionality
PR-URL: https://github.com/nodejs/node/pull/4788
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
With the introduction of temporary paths in the test runner
realpath tests would bail in scenarios where the temporary folder
wasn't in the same directory as the source code.
PR-URL: https://github.com/nodejs/node/pull/4477
Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/4054
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
test-fs-realpath.js was writing files to the fixture dir. This changes
it to use the temp directory instead. This also replaces some of the
string concatenation for paths with uses of path.join() and
path.relative().
PR-URL: https://github.com/nodejs/node/pull/4489
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
A few tests assumed that temp dirs always lived in the same
parent folder as fixtures. Make these use `common.tmpDir` instead.
PR-URL: https://github.com/nodejs/node/pull/3325
Reviewed-By: Joao Reis <reis@janeasystems.com>
In CI we previously passed `NODE_COMMON_PIPE` to the test runner to
avoid long filenames. Add an option to the test runner that allows the
user to change the temporary directory instead. This also allows us to
run test suites in parallel since `NODE_COMMON_PIPE` otherwise would
have been used from multiple tests at the same time.
PR-URL: https://github.com/nodejs/node/pull/3325
Reviewed-By: Joao Reis <reis@janeasystems.com>
The last sentence of the explanation for the first stream section
seemed a bit confusing. I tried to change the sentence to clarify it.
Additionally, the sections were turned into a numbered list to be more
clear about which section is being described, and improve readability.
PR-URL: https://github.com/nodejs/node/pull/4234
Reviewed-By: James M Snell <jasnell@gmail.com>
Remove all remaining unused variables from tests in test/parallel.
PR-URL: https://github.com/nodejs/node/pull/4511
Reviewed-By: James M Snell<jasnell@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
The http tests seem especially prone to including unused variables.
This change removes them.
PR-URL: https://github.com/nodejs/node/pull/4422
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Debug mode slows execution speed. There is work afoot to enable Debug
mode runs on the continuous integration infrastructure for the project.
Some tests are timing out, such as test-net-GH-5504.js.
This change doubles the timeout returned from `common.platformTimeout()`
when running in Debug mode. It also removes an unused variable from the
aforementioned test-net-GH-5504.js.
PR-URL: https://github.com/nodejs/node/pull/4431
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Some of the TLS tests have variables that do not get used. This removes
those variables.
PR-URL: https://github.com/nodejs/node/pull/4424
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Remove a handful of variables that are declared but never used in the
tests for the net module.
PR-URL: https://github.com/nodejs/node/pull/4430
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
In addition to removing unused vars, this also fixes an instance where
booleans were set presumably to check something but then never used.
This now confirms that the events that were setting the booleans are
fired.
PR-URL: https://github.com/nodejs/node/pull/4425
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Remove unused vars in tests
PR-URL: https://github.com/nodejs/node/pull/4536
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>