Set the Connection header to 'close' to work around a v0.10 quirk.
Prevents the test from timing out due to a still open TCP connection.
Test introduced in 1e45a61 ("deps: update http-parser to version 1.2").
PR-URL: https://github.com/nodejs/node/pull/5511
Reviewed-By: James M Snell <jasnell@gmail.com>
Fixes http-parser regression with IS_HEADER_CHAR check
Add test case for obstext characters (> 0x80) in header
PR-URL: https://github.com/nodejs/node/pull/5242
Reviewed-By: Rod Vagg <rod@vagg.org>
Fix node exiting due to an exception being thrown rather than emitting
an 'uncaughtException' event on the process object when:
1. no error handler is set on the domain within which an error is thrown
2. an 'uncaughtException' event listener is set on the process
Also fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and --abort-on-uncaught-exception is used.
Fixes#3607 and #3653.
PR: #3887
PR-URL: https://github.com/nodejs/node/pull/3887
Reviewed-By: James M Snell <jasnell@gmail.com>
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes:
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 1.0 to 1.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for
v0.10 builds from v0.10.42 onward
- A headers.tar.gz file will be made available from nodejs.org for
v0.10 builds from v0.10.42 onward, a future change to node-gyp
will be required to make use of these
PR-URL: https://github.com/nodejs/node-private/pull/25
PR-URL: https://github.com/nodejs/node/pull/4894
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: James M Snell <jasnell@gmail.com>
Backport the tools/install.py changes from 628a3ab that were missed
when 6fb0b92 backported the corresponding changes to the Makefile to
build the headers only archive.
PR-URL: https://github.com/nodejs/node/pull/4149
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rod Vagg <rod@vagg.org>
This replaces all sources of openssl-1.0.1r.tar.gz into
deps/openssl/openssl
PR-URL: https://github.com/nodejs/node/pull/4967
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
deps: copy all openssl header files to include dir
All symlink files in `deps/openssl/openssl/include/openssl/`
are removed and replaced with real header files to avoid
issues on Windows. Two files of opensslconf.h in crypto and
include dir are replaced to refer config/opensslconf.h.
PR-URL: https://github.com/nodejs/node/pull/4967
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
deps: separate sha256/sha512-x86_64.pl for openssl
sha256-x86_64.pl does not exist in the origin openssl distribution. It
was copied from sha512-x86_64.pl and both sha256/sha512 scripts were
modified so as to generates only one asm file specified as its key
hash length.
PR: #9451
PR-URL: https://github.com/joyent/node/pull/9451
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
deps: fix openssl assembly error on ia32 win32
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .
PR: #9451
PR-URL: https://github.com/joyent/node/pull/9451
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
openssl: fix keypress requirement in apps on win32
reapply b910613792
PR: #9451
PR-URL: https://github.com/joyent/node/pull/9451
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
deps: add -no_rand_screen to openssl s_client
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
(cherry picked from commit 9f0f7c38e6df975dd39735d0e9ef968076369c74)
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/joyent/node/pull/25368
The `--security-revert={cvenum}` command line flag is a special purpose
flag to be used only in stable or LTS branches when a breaking change
is required to address a security vulnerability. Whenever a vulnerability
requires a breaking change, and a CVE has been assigned, the flag can
be used to force Node to revert to the insecure behavior that was
implemented before the fix was applied.
Note that this flag is intended to be used only as a last resort in the
case a security update breaks existing code. When used, a security
warning will be printed to stderr when Node launches.
The `--security-revert={cvenum}` flag takes a single CVE number as an
argument. Multiple instances of the `--security-revert={cvenum}` flag
can be used on the command line to revert multiple changes.
Whenever a new `--security-revert={cvenum}` is enabled, it should be
documented in the release notes and in the API docs.
Master and the first release of a new major (e.g. v6.0) should not have
any reverts available.
Every time a new `--security-revert={cvenum}` is added, there should be
a semver-minor bump in the stable and LTS branch.
PR-URL: https://github.com/nodejs/node-private/pull/22
Security Update
Notable items:
* build: Add support for Microsoft Visual Studio 2015
* npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as
part of the strategy to get a version of npm into Node.js v0.10.x that
works with the current registry
(https://github.com/nodejs/LTS/issues/37). This version of npm prints
out a banner each time it is run. The banner warns that the next
standard release of Node.js v0.10.x will ship with a version of npm
v2.
* openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194
"Certificate verify crash with missing PSS parameter", a potential
denial-of-service vector for Node.js TLS servers; TLS clients are also
impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis)
#4133
PR-URL: https://github.com/nodejs/node-private/pull/15
When MSBuild invokes rc.exe, it passes NODE_TAG unstringified, but
passes it correctly to cl.exe. Hence, this workaround was made to
apply only to the resource file.
Fixes: https://github.com/nodejs/node/issues/2963
PR-URL: https://github.com/nodejs/node/pull/3053
Reviewed-By: Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
This is a port of e07c86e240 from v0.12.
Original commit message:
Try the next version of Microsoft Visual Studio when vcvarsall.bat
fails to set VCINSTALLDIR.
PR-URL: https://github.com/nodejs/node/pull/2843
Reviewed-By: rvagg - Rod Vagg <rod@vagg.org>
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/2910
Reviewed-By: orangemocha - Alexis Campailla <orangemocha@nodejs.org>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
This is a port of b0dd3bf499 .
Original commit message:
Windows 10 wasn't listed in the executable manifest.
This caused problems with trying to detect Windows 10
via `os.release()`.
PR-URL: https://github.com/nodejs/io.js/pull/2332
Reviewed-By: Roman Reiss <me@silverwind.io>
PR-URL: https://github.com/nodejs/node/pull/2838
Reviewed-By: silverwind - Roman Reiss <me@silverwind.io>
It was pointed out by Zhou Ran that the Windows XP implementation of
uv_rwlock_rdlock() and friends may unlock the inner write mutex on a
different thread than the one that locked it, resulting in undefined
behavior.
The only place that uses rwlocks is the crypto module. Make that use
normal (simple) mutexes instead.
OpenSSL's critical sections are generally very short, with exclusive
access outnumbering shared access by a factor of three or more, so
it's not as if using rwlocks gives a decisive performance advantage.
PR-URL: https://github.com/nodejs/node/pull/2723
Reviewed-By: Fedor Indutny <fedor@indutny.com>
This section was inconsistent with the actual behavior of `require` and
with other parts of this same document, which do describe the ability
to treat index.json as a module’s default file.
PR-URL: https://github.com/joyent/node/pull/8868
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
Using `arguments` and reassigning parameter variable
values causes v8 to disable function optimization.
PR-URL: https://github.com/joyent/node/pull/8942
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
This is a port of nodejs/node@eb459c81512c2ce61ee488450fc2d4006cb63198 ,
used as a floating patch over gyp.
Original commit message:
This issue has already submitted to the upstream in
https://code.google.com/p/gyp/issues/detail?id=477
Use this commit until the upstream is to be fixed.
PR-URL: https://github.com/iojs/io.js/pull/1325
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/joyent/node/pull/25857
Reviewed-By: Alexis Campailla <alexis@janeasystems.com>
This test failed in a recent Jenkins run for a change that was 100%
not related to it.
PR-URL: https://github.com/joyent/node/pull/25807
Reviewed-By: James M Snell <jasnell@gmail.com>
Older WiX versions included a header with extern "C" declaration,
hence the custom action source must be C++.
Reviewed-By: João Reis <reis@janeasystems.com>
PR-URL: https://github.com/joyent/node/pull/25569
The original change that added support for running custom actions during
the install process (e7c84f82c7) assumed
that Visual Studio 2013 is used to generate the installer file.
However, that is not always the case, and older versions of Visual
Studio should allow users to generate Windows installer files. This
change makes the custom actions visual studio project use the visual
studio version that is found by vcbuild.bat.
Reviewed-By: João Reis <reis@janeasystems.com>
PR-URL: https://github.com/joyent/node/pull/25569
Backport commit a58b17456a from branch
v0.12.
Original commit message:
vcbuild.bat calls python configure before setting GYP_MSVS_VERSION,
so SelectVisualStudioVersion (tools\gyp\pylib\gyp\MSVSVersion.py)
defaults to 'auto' and selects VS 2005.
vcbuild sets the environment in the current shell, so this issue
would manifest itself only on the first invocation of the script
in any given shell windows.
Reviewed-By: Julien Gilli <jgilli@fastmail.fm>
PR-URL: https://github.com/joyent/node/pull/20109
Conflicts:
vcbuild.bat
Reviewed-By: João Reis <reis@janeasystems.com>
PR-URL: https://github.com/joyent/node/pull/25569
It seems that test-net-error-twice.js does not behave as expected. Its
goal is to test fireErrorCallbacks, but it doesn't do it correctly,
leading to false negatives on some platforms and failures on others.
This change marks this test as flaky so that we can use our CI to land
changes in the v0.10 branch until we can fix it properly.
See the corresponding issue at
https://github.com/joyent/node/issues/9325 for more details.
PR: #25760
PR-URL: https://github.com/joyent/node/pull/25760
Reviewed-By: João Reis <reis@janeasystems.com>
Before this change, test/simple/test-abort-fatal-error.js would fail in
some environments for reasons I wasn't able to fully understand. It was
marked as flaky on some systems, but not on others on which it was
failing sometimes (OSX).
This change basically syncs test-abort-fatal-error with how it's
implemented in v0.12. It back ports 429b5870 (or rather the parts that
apply to it since it's a merge commit), 2f5e77f and 114bff4.
After backporting these changes in v0.10, test-abort-fatal-error is not
flaky anymore in environments for which it was flaky. It also has the
added benefit of being more robust because it checks exit codes and
signals instead of error messages.
Tested on OSX and SmartOS, the only platforms on which I could reproduce
the flakiness of this test.
This change also removes test-abort-fatal-error from the list of flaky
tests in test/simple/simple.status.
Fixes#25720.
PR: #25755
PR-URL: https://github.com/joyent/node/pull/25755
Reviewed-By: João Reis <reis@janeasystems.com>
Make the test runner return a 0 exit code when only
flaky tests fail and --flaky-tests=dontcare is specified.
PR-URL: https://github.com/joyent/node/pull/25686
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
Adding support for specifying flaky test mode to
the test runner:
- via an environment variable FLAKY_TESTS for Makefile
- via an argument ignore-flaky for vcbuild.bat
PR-URL: https://github.com/joyent/node/pull/25686
Reviewed-By: Julien Gilli <julien.gilli@joyent.com>
Ben Noordhuis
James M Snell
Julien Gilli
Rod Vagg
Richard Lau
Shigeki Ohtsu
João Reis
Forrest L Norvell
Lucien Greathouse
Alexis Campailla
skenqbx
Jörg Krause
Elan Shanker
Brian White
Andy Polyakov
Henrique Aparecido Lavezzo
Bert Belder
Johan Bergström