* http: allow multiple WebSocket RFC6455 headers (Einar Otto Stangvik)
* http: allow multiple WWW-Authenticate headers (Ben Noordhuis)
* windows: support unicode argv and environment variables (Bert Belder)
* tls: mitigate session renegotiation attacks (Ben Noordhuis)
* tcp, pipe: don't assert on uv_accept() errors (Ben Noordhuis)
* tls: Allow establishing secure connection on the existing socket (koichik)
* dgram: handle close of dgram socket before DNS lookup completes (Seth Fitzsimmons)
* windows: Support half-duplex pipes (Igor Zinkovsky)
* build: disable omit-frame-pointer on solaris systems (Dave Pacheco)
* debugger: fix --debug-brk (Ben Noordhuis)
* net: fix large file downloads failing (koichik)
* fs: fix ReadStream failure to read from existing fd (Christopher Jeffrey)
* net: destroy socket on DNS error (Stefan Rusu)
* dtrace: add missing translator (Dave Pacheco)
* unix: don't flush tty on switch to raw mode (Ben Noordhuis)
* windows: reset brightness when reverting to default text color (Bert Belder)
* npm: update to 1.1.1
- Update which, fstream, mkdirp, request, and rimraf
- Fix#2123 Set path properly for lifecycle scripts on windows
- Mark the root as seen, so we don't recurse into it. Fixes#1838. (Martin Cooper)
This commit fixes a bug where the cluster module failed to propagate EADDRINUSE
errors.
When a worker starts a (net, http) server, it requests the listen socket from
its master who then creates and binds the socket.
Now, OS X and Windows don't always signal EADDRINUSE from bind() but instead
defer the error until a later syscall. libuv mimics this behaviour to provide
consistent behaviour across platforms but that means the worker could end up
with a socket that is not actually bound to the requested addresss.
That's why the worker now checks if the socket is bound, raising EADDRINUSE if
that's not the case.
Fixes#2721.
The TLS protocol allows (and sometimes requires) clients to renegotiate the
session. However, renegotiation requires a disproportional amount of server-side
resources, particularly CPU time, which makes it a potential vector for
denial-of-service attacks.
To mitigate this issue, we keep track of and limit the number of renegotiation
requests over time, emitting an error if the threshold is exceeded.
It's possible for a new connection to be closed in the window between the
accept() syscall and the call to uv_accept(). Deal with it and move on, don't
assert.