This makes sure that no uninitialized bytes are leaked when the specified
`totalLength` input value is greater than the actual total length of the
specified buffers array, e.g. in Buffer.concat([Buffer.alloc(0)], 100).
PR-URL: https://github.com/nodejs/node-private/pull/64
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Compile out hardware engines. Most are stubs that dynamically load
the real driver but that poses a security liability when an attacker
is able to create a malicious DLL in one of the default search paths.
PR-URL: https://github.com/nodejs/node-private/pull/73
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Previously, the reason argument passed to ServerResponse#writeHead was
not being properly validated. One could pass CRLFs which could lead to
http response splitting. This commit changes the behavior to throw an
error in the event any invalid characters are included in the reason.
CVE-2016-5325
PR-URL: https://github.com/nodejs/node-private/pull/60
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
- this shares the iterator variable `i` expictly.
- this converts some var to const.
PR-URL: https://github.com/nodejs/node/pull/8781
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted
into Node.js at runtime by masquerading as one of the dynamic
engine modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/73
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/60
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/64
* src: Fix regression where passing an empty password and/or salt to
crypto.pbkdf2() would cause a fatal error
(Rich Trott) https://github.com/nodejs/node/pull/8572
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in the
wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/75
* v8: Fix regression where a regex on a frozen object was broken
(Myles Borins) https://github.com/nodejs/node/pull/8673
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted into
Node.js at runtime by masquerading as one of the dynamic engine
modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/70
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/46
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/65
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/63
PR-URL: https://github.com/nodejs/node-private/pull/74
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated. (Сковорода Никита Андреевич)
* http:
- CVE-2016-5325 - Properly validate for allowable characters in the
`reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses,
users should already be adopting try/catch here. Originally
reported independently by Evan Lucas and Romain Gaucher.
(Evan Lucas)
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999. Lack of proper validation may also
serve as a potential response splitting attack vector. Backported
from v4.x. (Brian White)
* openssl:
- Upgrade to 1.0.1u, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted
into Node.js at runtime by masquerading as one of the dynamic
engine modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis, Rod Vagg)
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko
and James Bunton (Atlassian). (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/72
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated. (Сковорода Никита Андреевич)
* http:
- CVE-2016-5325 - Properly validate for allowable characters in the
`reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses,
users should already be adopting try/catch here. Originally
reported independently by Evan Lucas and Romain Gaucher.
(Evan Lucas)
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999. Lack of proper validation may also
serve as a potential response splitting attack vector. Backported
from v4.x. (Brian White)
* openssl: Upgrade to 1.0.1u, fixes a number of defects impacting
Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded
memory growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko
and James Bunton (Atlassian). (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/71
this commit enhances the guidelines to creating a release blog post, specifically by adding
a commit format that must be adhered to when creating a pull request on the website repository
Fixes: https://github.com/nodejs/node/issues/8629
PR-URL: https://github.com/nodejs/node/pull/8631
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@keybase.io>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
crypto.timingSafeEqual() has been added in v6.6.0 cf. #8304
This commit adds the metadata that will display
"Added in: v6.6.0" and that can later be checked on
https://nodejs.org/api/crypto.html#crypto_crypto_timingsafeequal_a_b
PR-URL: https://github.com/nodejs/node/pull/8796
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Teddy Katz <teddy.katz@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This renames doc/topics/the-event-loop-timers-and-nexttick.md to
doc/topics/event-loop-timers-and-nexttick.md, which looks like a
better name for that file and enables no-file-name-articles remark-lint
rule to prevent such names in the future.
PR-URL: https://github.com/nodejs/node/pull/8713
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
When NODE_REPL_HISTORY isn't defined `repl` defaults to temporary file
This prevents the temporary file from being cleared and removes check
on fixture
Refs: https://github.com/nodejs/node/issues/4640
PR-URL: https://github.com/nodejs/node/pull/8756
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
PR-URL: https://github.com/nodejs/node/pull/8595
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This makes sure that the first heading in all markdown files is h1.
Only three files needed to be changed to conform:
1. BUILDING.md
2. CODE_OF_CONDUCT.md
3. doc/onboarding-extras.md
Also, .remarkrc is updated to include the `first-heading-level: 1`
rule in order to catch similar issues in the future.
PR-URL: https://github.com/nodejs/node/pull/8716
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Changes var to const, != to !==, and assert.equal() to assert.strict
Equal()
PR-URL: https://github.com/nodejs/node/pull/8764
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
replace ==, !=, some instances of var, and assert.equal()
PR-URL: https://github.com/nodejs/node/pull/8770
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Teddy Katz <teddy.katz@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
Replaced .indexOf() with .includes() for more clarity as to
what it is doing.
Many of the instances of var changed to const.
Instances of assert.equal() refactored to assert.strictEqual() or
assert.ifError()
Removed the unlinkSync() call in the exit event handler because it
probably only handles files in the testing tmp directory so there is
no need to unlink them.
PR-URL: https://github.com/nodejs/node/pull/8769
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
Changed var to const where appropriate. Substituted
assert.strictEqual for assert.equal for better type checks.
PR-URL: https://github.com/nodejs/node/pull/8762
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
1) Add missing assertion that slicing a 0 length buffer does not throw
2) Add assertion that slicing a 0 length buffer has a length of 0
PR-URL: https://github.com/nodejs/node/pull/8729
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
V8 5.4 changed the way that the default constructor of derived classes
is called. It introduced a significant performance regression in the
buffer module for the creation of pooled buffers. This commit forces the
definition back to how it was implicitly before.
Ref: https://bugs.chromium.org/p/v8/issues/detail?id=4890
PR-URL: https://github.com/nodejs/node/pull/8754
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
We use tls.TLSSocket type in tls.md, so that needs to be added to doctool's typeMap
PR-URL: https://github.com/nodejs/node/pull/8742
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Remove obsolete build file entries.
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/8753
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/8748
PR-URL: https://github.com/nodejs/node/pull/8741
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This changes child-process-exec-stdout benchmark to use 'yes' instead
of echo in a while loop. This makes this benchmark consistent with
child-process-read which already uses `yes` and allows this benchmark
to be executed on Windows.
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/8721
This changes the way v8-bench.js reports its performance to be consistent
with other benchmarks.
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Andreas Madsen <amwebdk@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/8564
Adds --expose_internals switch to benchmark runner. This makes
misc/freelist.js benchmark run properly
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Andreas Madsen <amwebdk@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/8547
AIX handles closed stdio differently (but still compliant with spec as
far as I can tell) than other POSIX variants we test. Test results are
different than Linux and others because AIX takes measures to not re-use
the file descriptors for stdio if one of the stdio streams is closed.
Fixes: https://github.com/nodejs/node/issues/8375
PR-URL: https://github.com/nodejs/node/pull/8755
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/io.js/issues/1461
PR-URL: https://github.com/nodejs/io.js/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/8786
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
This replaces all sources of openssl-1.0.2j.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/8786
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
We documented most types as Integer, but we don't have link for that.
PR-URL: https://github.com/nodejs/node/pull/8740
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This allows passing the socket connection timeout to http#request
such that it will be set before the socket is connecting
PR-URL: https://github.com/nodejs/node/pull/8101
Fixes: https://github.com/nodejs/node/issues/7580
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
New rules:
1. rule-style
2. strong-marker
3. no-shell-dollars
4. no-inline-padding
5. code-block-style
6. no-multiple-toplevel-headings
Fixes to the existing files applied.
PR-URL: https://github.com/nodejs/node/pull/8708
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: James M Snell <jasnell@gmail.com>
The `test-tick-processor-*` tests are now passing everywhere except for
the single-processor 700MHz Raspberry Pi 1 devices.
The tests are CPU-intensive. Skip the tests if there is only one CPU and
it runs at a speed not more than 700 MHz.
PR-URL: https://github.com/nodejs/node/pull/8652
Reviewed-By: Matthew Loring <mattloring@google.com>
Correcting a couple of minor spelling typos in comments.
PR-URL: https://github.com/nodejs/node/pull/8736
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
Commit 46633934fe (src: pull
OnConnection from pipe_wrap and tcp_wrap) removed the private handle_
member from TCPWrap which should allow us to rename the private
handle__ member in HandleWrap.
PR-URL: https://github.com/nodejs/node/pull/8712
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
PR-URL: https://github.com/nodejs/node/pull/8680
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
There are multiple tests that use the same boilerplate to test that
warnings are correctly emitted. This adds a new common function to do that
and changes the tests to use it.
PR-URL: https://github.com/nodejs/node/pull/8662
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Modified test-http-upgrade-client.js
Line 29: Changed var port to const port
Line 30: Changed var headers to const headers
Line 57: Changed assert.equal to assert.strictEqual
Line 61: Changed var expectedHeaders to const
Line 69: Changed '==' to '===' comparison
PR-URL: https://github.com/nodejs/node/pull/8705
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Teddy Katz <teddy.katz@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>