Set the `req.buffer` property, which serves as a way of keeping
a `Buffer` alive that is being written to a stream, on the C++
side instead of the JS side.
This closes a hole where buffers that were temporarily created
in order to write strings with uncommon encodings (e.g. `hex`)
were passed to the native side without being set as `req.buffer`.
Fixes: https://github.com/nodejs/node/issues/8251
PR-URL: https://github.com/nodejs/node/pull/8252
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This change is in preparation for lint enforcement of brace style.
PR-URL: https://github.com/nodejs/node/pull/8348
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
This change is in preparation for lint-enforced brace style.
PR-URL: https://github.com/nodejs/node/pull/8348
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Since I was doing the necessary git archaeology anyway, I took the time
to add YAML information to the docs about when `addMembership()` and
`dropMembership()` first appeared in their current forms.
PR-URL: https://github.com/nodejs/node/pull/6753
Ref: https://github.com/nodejs/node/issues/6578
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Use `msvs_settings.MASM.UseSafeExceptionHandlers` when building OpenSSL
assembly code on Windows. This option appends `/safeseh` to the list of
assembler flags when building `.asm` files on Windows.
Having this option in place, separate rules in `masm_compile.gypi` are
no longer needed.
Fix: #7426
PR-URL: https://github.com/nodejs/node/pull/7427
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Bert Belder <bertbelder@gmail.com>
Inspect boxed symbol objects in the same way other boxed primitives
are inspected.
Fixes: https://github.com/nodejs/node/issues/7639
PR-URL: https://github.com/nodejs/node/pull/7641
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
The function objects encapsulating `isIPv4` and `isIPv6` are not
necessary. They can be directly exposed from `cares`.
PR-URL: https://github.com/nodejs/node/pull/7481
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Exclude tests for AIX in 4.x stream now that
its been added to regular regression runs. This
will avoid known failures from making the build
look RED while also being able to catch any
new regressions if they are introduced.
PR-URL: https://github.com/nodejs/node/pull/8076
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Joao Reis <reis@janeasystems.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Minor rewording related to making a server listen to a random port,
and added how to retrieve which port was randomly chosen by the OS.
Also changed documented `server.listen()` signature as it does in fact
not require `port` to be provided.
PR-URL: https://github.com/nodejs/node/pull/8025
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Manual backport from master to 4.x stream, original
commit message follows.
I often want to run a test many times to see if a failure
can be recreated and I believe this is a common
use case. We even have this job in the CI
https://ci.nodejs.org/job/node-stress-single-test/configure
but often you want to run it on a specific machine.
This patch adds the --repeat option so that
you can repeat the selected set of tests a
number of times. Given existing options
in test.py this will allow you to run
one or more tests for the number of
repeats specified. For example:
tools/test.py -j8 --repeat 1000 parallel/test-process-exec-argv
runs the test-process-exec-argv test 1000 times,
running 8 copies in parallel
tools/test.py --repeat 2
would run the entire test suite twice.
PR-URL: https://github.com/nodejs/node/pull/6700
Reviewed-By: Ben Noorhduis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: thefourtheye - Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: joaocgreis - João Reis <reis@janeasystems.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Add an option to the configure script for building d8. Useful for
testing V8 standalone.
PR-URL: https://github.com/nodejs/node/pull/7538
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted into
Node.js at runtime by masquerading as one of the dynamic engine
modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/70
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/46
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/65
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/63
PR-URL: https://github.com/nodejs/node-private/pull/74
Compile out hardware engines. Most are stubs that dynamically load
the real driver but that poses a security liability when an attacker
is able to create a malicious DLL in one of the default search paths.
PR-URL: https://github.com/nodejs/node-private/pull/70
Reviewed-By: James Snell <jasnell@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Joao Reis <reis@janeasystems.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This makes sure that no uninitialized bytes are leaked when the specified
`totalLength` input value is greater than the actual total length of the
specified buffers array, e.g. in Buffer.concat([Buffer.alloc(0)], 100).
PR-URL: https://github.com/nodejs/node-private/pull/65
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rod Vagg <rod@vagg.org>
Previously, the reason argument passed to ServerResponse#writeHead was
not being properly validated. One could pass CRLFs which could lead to
http response splitting. This commit changes the behavior to throw an
error in the event any invalid characters are included in the reason.
CVE-2016-5325
PR-URL: https://github.com/nodejs/node-private/pull/46
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/8786
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
This replaces all sources of openssl-1.0.2j.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/8786
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
openssl command does not allow to both "-ssl3" and "-no_tls1".
A protocol connecting to the server is only specified.
PR-URL: https://github.com/nodejs/node/pull/8714
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Regenerate asm files with Makefile and CC=gcc and ASM=gcc where
gcc-5.4.0. Also asm files in asm_obsolete dir to support old compiler
and assembler are regenerated without CC and ASM envs.
PR-URL: https://github.com/nodejs/node/pull/8714
Reviewed-By: Fedor Indutny <fedor@indutny.com>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/8714
Reviewed-By: Fedor Indutny <fedor@indutny.com>
This replaces all sources of openssl-1.0.2i.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/8714
Reviewed-By: Fedor Indutny <fedor@indutny.com>
This benchmark fails on Windows when trying to execute command which
is more than 32k in size. This commits skips this one case when running
under Windows.
PR-URL: https://github.com/nodejs/node/pull/7178
Reviewed-By: Trott - Rich Trott <rtrott@gmail.com>
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Backported from
99bf6face5
We can tell when `node-gyp` is changed by creating a prerequisite on
`deps/npm/node_modules/node-gyp/package.json`. The prerequisite is added
to the `test/addons/.buildstamp` since `build-addons` is .PHONY.
Testing for this change was entirely manual.
$ make clean test-build # Initial build
$ make test-build # Make sure build-addons doesn't rebuild
$ touch deps/npm/node_modules/node-gyp/package.json # simulate change
$ make test-build # Ensure build-addons rebuilds
PR-URL: https://github.com/nodejs/node/pull/6787
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This helps to prevent issues where a failed test can keep a bound
socket open long enough to cause other tests to fail with EADDRINUSE
because the same port number is used.
PR-URL: https://github.com/nodejs/node/pull/7045
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
This commit removes some unnecessary signed checks on unsigned
variables.
PR-URL: https://github.com/nodejs/node/pull/7174
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
GCM cipher IV length can be >=1 bytes.
When not the default 12 bytes (96 bits) sets the IV length using
`EVP_CIPHER_CTX_ctrl` with type `EVP_CTRL_GCM_SET_IVLEN`
PR-URL: https://github.com/nodejs/node/pull/6376
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
After the #3888 it was not possible to "make doc-only"
in some situations. This now fallsback to any installed
node version and throws "node not found" in error case.
Ref: https://github.com/nodejs/node/pull/3888
PR-URL: https://github.com/nodejs/node/pull/6906
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Add a `REPLACEME` tag that should be used when introducing
docs for new features, so that they can be updated when releases
are made.
Ref: https://github.com/nodejs/node/issues/6578
PR-URL: https://github.com/nodejs/node/pull/6864
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Claudio Rodriguez <cjrodr@yahoo.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Anna Henningsen
Rich Trott
Fedor Indutny
Sakthipriyan Vairamani
Ryan Lewis
Michael Dawson
Phillip Johnsen
Marcin Cieślak
Ben Noordhuis
Rod Vagg
Daniel Stenberg
Сковорода Никита Андреевич
Evan Lucas
Shigeki Ohtsu
Fedor Indutny
Shigeki Ohtsu
Myles Borins
Bartosz Sosnowski
Lance Ball
Brian White
Kat Marchán
Michael Wain
Robert Jefe Lindstaedt