Commit 3c293ba ("http: protect against response splitting attacks")
filters out newline characters from HTTP headers but forgot to apply
the same logic to trailing HTTP headers, i.e., headers that come after
the response body. This commit rectifies that.
The expected security impact is low because approximately no one uses
trailing headers. Some HTTP clients can't even parse them.
PR-URL: https://github.com/nodejs/node/pull/2945
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Rod Vagg <r@va.gg>
Instantiating a Buffer of length zero would set the kNoZeroFill flag to
true but never actually call ArrayBuffer::Allocator(). Which means the
flag was never set back to false. The result was that the next
allocation would unconditionally not be zero filled.
Add test to ensure Uint8Array's are zero-filled after creating a Buffer
of length zero. This test may falsely succeed, but will not falsely fail.
Fix: https://github.com/nodejs/node/issues/2930
PR-URL: https://github.com/nodejs/node/pull/2931
Reviewed-By: Rod Vagg <rod@vagg.org>
As `raw` and `raws` encodings are deprecated for such a long time, and
they both are undocumented, this patch removes the support for those
encodings completely.
Previous discussion: https://github.com/nodejs/node/pull/2829
PR-URL: https://github.com/nodejs/node/pull/2859
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Most calls to ref() and unref() are chainable, timers should be
chainable, too.
Typical use:
var to = setTimeout(ontimeout, 123).unref();
PR-URL: https://github.com/nodejs/node/pull/2905
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trevor Norris <trevnorris@nodejs.org>
Overall construction time of Typed Arrays is faster in JS, but the
problem with using it normally is zero-fill of memory. Get around this
by using a flag in the ArrayBuffer::Allocator to trigger when memory
should or shouldn't be zero-filled.
Remove Buffer::Create() as it is no longer called.
The creation of the Uint8Array() was done at each callsite because at
the time of this patch there was a performance penalty for centralizing
the call in a single function.
PR-URL: https://github.com/nodejs/node/pull/2866
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Refactor out the if/else statement checking for option.host.
Add whitespace to make concatenation chunks more readable and
consistent with the https version of Agent.getName().
PR-URL: https://github.com/nodejs/node/pull/2825
Reviewed-By: Julian Duque <julianduquej@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This commit refactors LazyTransform from the crypto implementation
(lib/crypto.js) into an internal module (not publicy accessible) in
internal/streams/lazy_transform.js. This promotes a more modular core
design and removes code bloat in crypto, as LazyTransform didn't
specifically have anything to do with cryptography, but rather a fast
way to support two APIs on a stream.
PR-URL: https://github.com/nodejs/node/pull/2566
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Socket resume may happen on a next tick, and in following scenario:
1. `socket.resume()`
2. `socket._handle.close()`
3. `socket._handle = null;`
The `_resume` will be invoked with empty `._handle` property. There is
nothing bad about it, and we should just ignore the `resume`/`pause`
events in this case.
Same applies to the unconsuming of socket on adding `data` and/or
`readable` event listeners.
Fix: https://github.com/nodejs/node/issues/2821
PR-URL: https://github.com/nodejs/node/pull/2824
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Streams with writev allow many buffers to be pushed to underlying OS
APIs in one batch, in this case improving write throughput by an order
of magnitude. This is especially noticeable when writing many (small)
buffers.
PR-URL: https://github.com/nodejs/node/pull/2167
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Previously, in _validateStdio we were using stdio.fd || stdio. If
stdio.fd was falsy (or 0 in the case of stdin), then the entire stdio
object would be passed which could cause a crash.
Fixes: https://github.com/nodejs/node/issues/2721
PR-URL: https://github.com/nodejs/node/pull/2727
Reviewed-By: silverwind - Roman Reiss <me@silverwind.io>
Reviewed-By: cjihrig - Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Fixes a regression that appeared with the new Buffer implementation in v3.
Without this change, calling the SlowBuffer constructor with something else
than a number would abort on the C++ side. This makes sure that the length
argument is coerced to number or is 0.
Fixes: https://github.com/nodejs/node/issues/2634
PR-URL: https://github.com/nodejs/node/pull/2635
Reviewed-By: trevnorris - Trevor Norris <trev.norris@gmail.com>
Reviewed-By: cjihrig - Colin Ihrig <cjihrig@gmail.com>
Now parts of our public and public-ish APIs fall back to old-style
listenerCount() if the emitter does not have a listenerCount function.
Fixes: https://github.com/nodejs/node/issues/2655
Refs: 8f58fb92ff
PR-URL: https://github.com/nodejs/node/pull/2661
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Port of joyent/node commits:
* e17c5a72b2
* 70dafa7b62
Pull over test-child-process-spawn-typeerror.js from v0.12, replacing
the existing test in master. The new test includes a broader set of
tests on the various arg choices and throws.
Reviewed-By: trevnorris - Trevor Norris <trevnorris@nodejs.org>
Reviewed-By: cjihrig - Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: thefourtheye - Sakthipriyan Vairamani
PR-URL: https://github.com/nodejs/node/pull/2667
Fixes: https://github.com/nodejs/node/issues/2515
Add an optional callback parameter to `ChildProcess.prototype.send()`
that is invoked when the message has been sent.
Juggle the control channel's reference count so that in-flight messages
keep the event loop (and therefore the process) alive until they have
been sent.
`ChildProcess.prototype.send()` and `process.send()` used to operate
synchronously but became asynchronous in commit libuv/libuv@393c1c5
("unix: set non-block mode in uv_{pipe,tcp,udp}_open"), which landed
in io.js in commit 07bd05b ("deps: update libuv to 1.2.1").
Fixes: https://github.com/nodejs/node/issues/760
PR-URL: https://github.com/nodejs/node/pull/2620
Reviewed-By: trevnorris - Trevor Norris <trev.norris@gmail.com>
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
v8 will silently return an empty handle
which doesn't delete our data if string length is
above String::kMaxLength
Fixes: https://github.com/nodejs/node/issues/1374
PR-URL: https://github.com/nodejs/node/pull/2402
Reviewed-By: trevnorris - Trevor Norris <trev.norris@gmail.com>
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Amended by @rvagg to change author date from
"1970-08-16 16:09:02 +0200"
to
"2015-08-16 16:09:02 +0200"
as per discussion @ https://github.com/nodejs/node/issues/2713
This commit addresses most of the review comments in
https://github.com/nodejs/node/pull/2540, which are kept in this
separate commit so as to better preserve the prior two patches as they
landed in 0.12.
This commit:
- Fixes a bug with unrefActive timers and disposed domains.
- Fixes a bug with unrolling an unrefActive timer from another.
- Adds a test for both above bugs.
- Improves check logic, making it stricter, simpler, or both.
- Optimizes nicer with a smaller, separate function for the try/catch.
Fixes: https://github.com/nodejs/node-convergence-archive/issues/23
Ref: https://github.com/nodejs/node/issues/268
PR-URL: https://github.com/nodejs/node/pull/2540
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Before this change, _unrefActive would keep the unrefList sorted when
adding a new timer.
Because _unrefActive is called extremely frequently, this linear scan
(O(n) at worse) would make _unrefActive show high in the list of
contributors when profiling CPU usage.
This commit changes _unrefActive so that it doesn't try to keep the
unrefList sorted. The insertion thus happens in constant time.
However, when a timer expires, unrefTimeout has to go through the whole
unrefList because it's not ordered anymore.
It is usually not large enough to have a significant impact on
performance because:
- Most of the time, the timers will be removed before unrefTimeout is
called because their users (sockets mainly) cancel them when an I/O
operation takes place.
- If they're not, it means that some I/O took a long time to happen, and
the initiator of subsequents I/O operations that would add more timers
has to wait for them to complete.
With this change, _unrefActive does not show as a significant
contributor in CPU profiling reports anymore.
Fixes: https://github.com/joyent/node/issues/8160
Signed-off-by: Timothy J Fontaine <tjfontaine@gmail.com>
Conflicts:
lib/timers.js
Fixes: https://github.com/nodejs/node-convergence-archive/issues/23
Ref: https://github.com/nodejs/node/issues/268
PR-URL: https://github.com/nodejs/node/pull/2540
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
This reverts commit 6cd0e2664b.
This reverts commit 7a999a1376.
This reverts commit f337595441.
It turns out that on Windows, uv_pipe_getsockname() is a no-op for
client sockets. It slipped through testing because of a CI snafu.
PR-URL: https://github.com/nodejs/node/pull/2584
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Complements the existing net.Socket#remoteFamily property.
PR-URL: https://github.com/nodejs/node/pull/956
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
The implementation is a minor API change in that socket.address() now
returns a `{ address: '/path/to/socket' }` object, like it does for TCP
and UDP sockets. Before this commit, it returned `socket._pipeName`,
which is a string when present.
Change common.PIPE on Windows from '\\\\.\\pipe\\libuv-test' to
'\\\\?\\pipe\\libuv-test'. Windows converts the '.' to a '?' when
creating a named pipe, meaning that common.PIPE didn't match the
result from NtQueryInformationFile().
Fixes: https://github.com/nodejs/node/issues/954
PR-URL: https://github.com/nodejs/node/pull/956
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
There is no type-conversion to be done. Therefore, use the === operator.
PR-URL: https://github.com/nodejs/node/pull/2558
Reviewed-By: Rich Trott <rtrott@gmail.com>
Explicitly note that these modules should not be used outside of core.
PR-URL: https://github.com/nodejs/node/pull/2523
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
roundUpToNextPowerOf2() does more than just rounding up to the next
power of two. Rename it to computeNewHighWaterMark().
PR-URL: https://github.com/nodejs/node/pull/2479
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Don't iterate over all 32 bits, use some hacker's delight bit twiddling
to compute the next power of two.
The logic can be reduced to `n = 1 << 32 - Math.clz32(n)` but then it
can't easily be backported to v2.x; Math.clz32() was added in V8 4.3.
PR-URL: https://github.com/nodejs/node/pull/2479
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
The high watermark is capped at 8 MB, not 128 MB like the comment
in lib/_stream_readable.js said.
PR-URL: https://github.com/nodejs/node/pull/2479
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This commit replaces instances of io.js with Node.js, based on the
recent convergence. There are some remaining instances of io.js,
related to build and the installer.
Fixes: https://github.com/nodejs/node/issues/2361
PR-URL: https://github.com/nodejs/node/pull/2367
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
This adds a new `--tls-cipher-list` command line switch
that can be used to override the built-in default cipher
list. The intent of this is to make it possible to enforce
an alternative default cipher list at the process level.
Overriding the default cipher list is still permitted at
the application level by changing the value of
`require('tls').DEFAULT_CIPHERS`.
As part of the change, the built in default list is moved
out of tls.js and into node_constants.h and node_constants.cc.
Two new constants are added to require('constants'):
* defaultCipherList (the active default cipher list)
* defaultCoreCipherList (the built-in default cipher list)
A test case and doc changes are included.
A new NODE_DEFINE_STRING_CONSTANT macro is also created in
node_internals.h
When node_constants is initialized, it will pick up either
the passed in command line switch or fallback to the default
built-in suite.
Within joyent/node, this change had originaly been wrapped
up with a number of other related commits involving the
removal of the RC4 cipher. This breaks out this isolated
change.
/cc @mhdawson, @misterdjules, @trevnorris, @indutny, @rvagg
Reviewed By: Ben Noordhuis <ben@strongloop.com>
PR-URL: https://github.com/nodejs/node/pull/2412
Refactored version of https://github.com/joyent/node/pull/25819
Removes integer keys (and keys starting with numbers) from
candidate list on repl tab complete. Refactored the originally
submitted change to simplify and ensure that the integer keys
do not show up on objects either.
Reviewed By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/2409
Original commit message:
buffer: align chunks on 8-byte boundary
When slicing global pool - ensure that the underlying buffer's data
ptr is 8-byte alignment to do not ruin expectations of 3rd party C++
addons.
NOTE: 0.10 node.js always returned aligned pointers and io.js should
do this too for compatibility.
PR-URL: https://github.com/nodejs/node/pull/2487
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
This resolvesjoyent/node#9272. `tlsSocket.getPeerCertificate` will
return an empty object when the peer does not provide a certificate,
but, prior to this, when the certificate is empty, `checkServerIdentity`
would throw because the `subject` wasn't present on the cert.
`checkServerIdentity` must return an error, not throw one, so this
returns an error when the cert is empty instead of throwing
a `TypeError`.
PR-URL: https://github.com/nodejs/node/pull/2343
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
If you have no history file written to disk, but the environment
variable set, `fs.readFileSync` will throw an ENOENT error,
but there's nothing to convert. The converter should ignore
ENOENT on that `fs.readFileSync` call.
Fixes: https://github.com/nodejs/node/issues/2449
PR-URL: https://github.com/nodejs/node/pull/2451
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Expose and use in TLSWrap an `v8::External` wrap of the
`StreamBase*` pointer instead of guessing the ancestor C++ class in
`node_wrap.h`.
Make use of `StreamBase::Callback` structure for storing/passing both
callback and context in a single object.
Introduce `GetObject()` for future user-land usage, when a child class
is not going to be inherited from AsyncWrap.
PR-URL: https://github.com/nodejs/node/pull/2351
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
As per the discussion in #734, this patch deprecates the usage of
`EventEmitter.listenerCount` static function in the docs, and introduces
the `listenerCount` function in the prototype of `EventEmitter` itself.
PR-URL: https://github.com/nodejs/node/pull/2349
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
v8 introduced the new flag `total_available_size` in version 4.4
and upwards. This flag is now available on `v8.getHeapStatistics`
with the name `total_available_size`. It contains the total
available heap size of v8.
Introduced with commit: v8/v8-git-mirror@0a1352a7
PR-URL: https://github.com/nodejs/io.js/pull/2348
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Remove dead code paths that are created by assertions that will never
trigger. They may only trigger if either the `splitDeviceRe` or
`splitPathRe` regular expressions are modified. If at some point they
are modified, current unit tests will catch most of the resulting
errors and this commit adds extra tests to catch the remaining errors.
PR-URL: https://github.com/nodejs/io.js/pull/2282
Reviewed-By: Roman Reiss <me@silverwind.io>
This commit modifies util.inspect(obj) to additionally show the name of
the function that constructed the object. This often reveals useful
information about the object's prototype. In other words, instead of
> new Cls
{}
we have
> new Cls
Cls {}
This also works with exotic objects:
> class ArrayCls extends Array {}
> new ArrayCls(1, 2, 3)
ArrayCls [ 1, 2, 3 ]
The names of "trivial" constructors like Object and Array are not shown,
unless there is a mismatch between the object representation and the
prototype:
> Object.create([])
Array {}
This feature is inspired by browser devtools.
PR-URL: https://github.com/nodejs/io.js/pull/1935
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
When TLS Session Ticket is renewed by server - no Certificate record is
to the client. We are prepared for empty certificate in this case, but
this relies on the session reuse check, which was implemented
incorrectly and was returning false when the TLS Session Ticket was
renewed.
Use session reuse check provided by OpenSSL instead.
Fix: https://github.com/nodejs/io.js/issues/2304
PR-URL: https://github.com/nodejs/io.js/pull/2312
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Any time the connection state or the underlying handle itself changes,
the socket's name (aka, local address) can change.
To deal with this we need to reset the cached sockname any time we
set or unset the internal handle or an existing handle establishes a
connection.
PR-URL: https://github.com/nodejs/io.js/pull/2095
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Persists the REPL history in plain text using the new NODE_REPL_HISTORY
environment variable. Deprecates NODE_REPL_HISTORY_FILE. The REPL will
notify the user and automatically convert the history to the new format
if files are specified.
PR-URL: https://github.com/nodejs/io.js/pull/2224
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>