Notable changes:
* openssl: Fully remove SSLv2 support, the `--enable-ssl2` command
line argument will now produce an error. The DROWN Attack
(https://drownattack.com/) creates a vulnerability where SSLv2 is
enabled by a server, even if a client connection is not using SSLv2.
The SSLv2 protocol is widely considered unacceptably broken and
should not be supported. More information is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0800
Note that the upgrade to OpenSSL 1.0.1s in Node.js v0.12.11 removed
internal SSLv2 support. The change in this release was originally
intended for v0.12.11. The `--enable-ssl2` command line argument now
produces an error rather than being a no-op.
PR-URL: https://github.com/nodejs/nodejs.org/pull/562
The upstream and dep were slightly out of sync due to the way the
recent security update had to be done. This brings the two back
into sync. This update includes a couple of fixed tests and a
performance related semver-patch update to the http method parsing.
PR-URL: https://github.com/nodejs/node/pull/5600
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
This reverts commit d9f7a597e4.
Changes here probably need wider discussion so revert the change until
that can happen.
PR-URL: https://github.com/nodejs/node/pull/5602
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
In AsyncWrap::MakeCallback always return empty handle if there is an
error. In the future this should change to return a v8::MaybeLocal, but
that major change will have to wait for v6.x, and these changes are
meant to be backported to v4.x.
The HTTParser call to AsyncWrap::MakeCallback failed because it expected
a thrown call to return an empty handle.
In node::MakeCallback return an empty handle if the call is
in_makecallback(), otherwise return v8::Undefined() as usual to preserve
backwards compatibility.
Fixes: https://github.com/nodejs/node/issues/5555
PR-URL: https://github.com/nodejs/node/pull/5591
Reviewed-By: Julien Gilli <jgilli@nodejs.org>
Currently we are not testing that `npm install` works.
This is a very naive / basic test that shells out to `npm install`
in an empty `tempDir`. While this test will not be able to check
that `npm install` is 100% working, it should catch certain edge
cases that break it.
PR-URL: https://github.com/nodejs/node/pull/5166
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Alexis Campailla <orangemocha@nodejs.org>
PR-URL: https://github.com/nodejs/node/pull/5557
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
The docs mentioned that the docs source live in
the node source, but did not link to same.
PR-URL: https://github.com/nodejs/node/pull/4591
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: James M Snell <jasnell@gmail.com>
Every time `make test` is run, the cpplint prints the file it
successfully linted. None of the other linters in the project does
that. This patch simply removes the "Done processing" message from the
cpplint.
PR-URL: https://github.com/nodejs/node/pull/5578
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Enabled no-self-assign rule in ESLint.
This required one change in a benchmark file. Changed a loop (that is
outside of the benchmark itself, so performance is not critical) from a
for loop that repeats a string to use String.prototype.repeat() instead.
While at it, took the opportunity to const-ify the benchmark file.
Also moved the "Strict" section in the .eslintrc to match where it is in
the ESLint documentation. Updated the link for Strict rules to point to
the ESLint website rather than the GitHub-hosted code.
PR-URL: https://github.com/nodejs/node/pull/5552
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
also change stripe color to RGB 68 136 62
PR-URL: https://github.com/nodejs/node/pull/5531
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Rod Vagg <rod@vagg.org>
Replace Certificate C++ class with simple functions. Update
crypto.Certificate methods accordingly.
PR-URL: https://github.com/nodejs/node/pull/5382
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Replacing the regexp and replace function with a loop improves
performance by ~60-200%.
PR-URL: https://github.com/nodejs/node/pull/5360
Reviewed-By: James M Snell <jasnell@gmail.com>
By manually copying arguments and breaking the try/catch out, we are
able to improve the performance of util.format by 20-100% (depending on
the types).
PR-URL: https://github.com/nodejs/node/pull/5360
Reviewed-By: James M Snell <jasnell@gmail.com>
Use the "Apple LLVM" version number since the banner has changed in
newer versions of Mac OS X, resulting in the obsolete assembler path
being used to compile OpenSSL.
PR-URL: https://github.com/nodejs/node/pull/5553
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit adds a failing test case for the vm module.
Currently, if runInContext() defines a function, and a later call
to runInContext() redefines the same function, the original
function is not overwritten.
Refs: https://github.com/nodejs/node/issues/548
PR-URL: https://github.com/nodejs/node/pull/5528
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Wyatt Preul <wpreul@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This commit adds a known_issues directory to the test directory
for scripts that reproduce known bugs. Since these scripts are
expected to fail, it also adds a --expect-fail flag to test.py
which reports tests as successful when they fail.
Refs: https://github.com/nodejs/testing/issues/18
PR-URL: https://github.com/nodejs/node/pull/5528
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Wyatt Preul <wpreul@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Avoid 'delete this' as it can be hazardous and/or dependent on
implementations.
PR-URL: https://github.com/nodejs/node/pull/5494
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: targos - Michaël Zasso <mic.besace@gmail.com>
V8 String::NewExternal is deprecated in 4.9. Migrate string_bytes.cc to
the alternatives.
PR-URL: https://github.com/nodejs/node/pull/5462
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Simplify how node_contextify was keeping a weak reference to the
sandbox object in order to prepare for new style phantom weakness V8
API. It is simpler (and more robust) for the context to hold a
reference to the sandbox in an embedder data field. Doing otherwise
meant that the sandbox could become weak while the context was still
alive. This wasn't a problem because we would make the reference
strong at that point.
Since the sandbox must live at least as long as the context, it
would be better for the context to hold onto the sandbox.
PR-URL: https://github.com/nodejs/node/pull/5392
Reviewed-By: Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Cleanup how node_contextify keeps weak references in order to prepare
for new style phantom weakness API. We didn't need to keep a weak
reference to the context's global proxy, as the context holds it.
PR-URL: https://github.com/nodejs/node/pull/5392
Reviewed-By: Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Old style SetWeak is now deprecated, and weakness now works like
phantom references. This means we no longer have a reference to the
object in the weak callback. We use a kInternalFields style weak
callback which provides us with the contents of 2 internal fields
where we can squirrel away the native buffer pointer.
We can no longer neuter the buffer in the weak callback, but that
should be unnecessary as the object is going to be GC'd during the
current gc cycle.
PR-URL: https://github.com/nodejs/node/pull/5204
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Dynamic checks that CallbackInfo holds an ArrayBuffer handle can be
converted into compiler enforced checks. Removed unused code, and
other minor cleanup.
PR-URL: https://github.com/nodejs/node/pull/5204
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>