Just as the 'WWW-Authenticate' HTTP header the 'Proxy-Authenticate' header might
be received several times as well. Currently only one value is preserved. This
change allows to receive multiple values concatenated by space and comma.
Just as the 'WWW-Authenticate' HTTP header the 'Proxy-Authenticate' header might
be received several times as well. Currently only one value is preserved. This
change allows to receive multiple values concatenated by space and comma.
A child process created with .fork() needed to call `process.exit()` explicitly
because the communication channel with the parent kept the event loop alive.
Fix that by only ref'ing the channel when there are 'message' event listeners.
Fixes#3799.
This addresses #4034. There are two problems happening:
1. The domain is not exited automatically when calling dispose() on it.
Then, since the domain is disposed, attempting to exit it again will do
nothing.
2. The active domain is stored on process.domain. Since thrown errors
call `process.emit('uncaughtException', er)`, and the process is an
event emitter with a `.domain` member, it re-enters the domain a second
time before calling the error handler, pushing it onto the stack again.
Thus, if the handler calls `domain.dispose()`, then the domain is now on
the stack twice, and cannot be exited properly. Since the domain is
disposed, any subsequent IO will be no-op'ed, since we've declared that
this context is done and best forgotten.
The solution here is twofold:
1. In EventEmitter.emit, do not enter the domain if `this===process`.
2. Automatically exit the domain when calling `domain.dispose()`.
Make sure the deletion event gets reported in the following scenario:
1. Watch a file.
2. The initial stat() goes okay.
3. Something deletes the watched file.
4. The second stat() fails with ENOENT.
The second stat() translates into the first 'change' event but a logic error
stopped it from getting emitted.
Fixes#4027.
This commit changes the default value of the rejectUnauthorized option from
false to true.
What that means is that tls.connect(), https.get() and https.request() will
reject invalid server certificates from now on, including self-signed
certificates.
There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the literal string "0", node.js reverts to its
old behavior.
Fixes#3949.
A HTTP/1.0 client does not support 'Transfer-Encoding: chunked' unless it
explicitly requests it by sending a 'TE: chunked' header.
Before this commit, node.js always disabled chunked encoding for HTTP/1.0
clients. Now it will scan for the TE header and turn on chunked encoding if
requested and applicable.
Fixes#940.
With this patch the IPC socket is no longer available in the
ChildProcess.stdio array. This shouldn't be very problematic, since
this socket was effectively non-functional; it would never emit any
events.
Throw an exception in the tls.Server constructor when the options object
doesn't contain either a PFX or a key/certificate combo.
Said change exposed a bug in simple/test-tls-junk-closes-server. Addressed.
Fixes#3941.
It takes an optional "expected exception" argument that is not used meaningfully
but is nevertheless documented. Undocument it, it confuses casual readers of the
documentation.
Fixes#3935.
Update the default cipher list from RC4-SHA:AES128-SHA:AES256-SHA
to ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
in order to mitigate BEAST attacks.
The documentation suggested AES256-SHA but unfortunately that's a CBC cipher
and therefore susceptible to attacks.
Fixes#3900.
Ensure that the delay >= 0 when detaching the timer from the queue. Fixes the
following assertion:
uv_timer_start: Assertion `timeout >= 0' failed.
No test included, it's timing sensitive.
Commit 4e5fe2d changed the way how process.nextTick() works:
process.nextTick(function foo() {
process.nextTick(function bar() {
// ...
});
});
Before said commit, foo() and bar() used to run on separate event loop ticks
but that is no longer the case.
However, that's exactly the behavior that the TLS renegotiation attack guard
relies on. It gets called by OpenSSL and needs to defer the 'error' event to a
later tick because the default action is to destroy the TLS context - the same
context that OpenSSL currently operates on.
When things change underneath your feet, bad things happen and OpenSSL is no
exception. Ergo, use setImmediate() instead of process.nextTick() to ensure
that the 'error' event is actually emitted at a later tick.
Fixes#3840.