`Transfer-Encoding` header might have multiple codings in it. Even
though llhttp cares only about `chunked`, it must check that `chunked`
is the last coding (if present).
ABNF from RFC 7230:
```
Transfer-Encoding = *( "," OWS ) transfer-coding *( OWS "," [ OWS
transfer-coding ] )
transfer-coding = "chunked" / "compress" / "deflate" / "gzip" /
transfer-extension
transfer-extension = token *( OWS ";" OWS transfer-parameter )
transfer-parameter = token BWS "=" BWS ( token / quoted-string )
```
However, if `chunked` is not last - llhttp must assume that the encoding
and size of the body is unknown (according to 3.3.3 of RFC 7230) and
read the response until EOF. For request - the error must be raised for
an unknown `Transfer-Encoding`.
Furthermore, 3.3.3 of RFC 7230 explicitly states that presence of both
`Transfer-Encoding` and `Content-Length` indicates the smuggling attack
and "ought to be handled as an error".
For the lenient mode:
* Unknown `Transfer-Encoding` in requests is not an error and request
body is simply read until EOF (end of connection)
* Only `Transfer-Encoding: chunked` together with `Content-Length` would
result an error (just like before the patch)
PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The include is required for type size_t. stddef.h should be available
on every platform, sys/types.h is not.
PR-URL: https://github.com/nodejs/http-parser/pull/360
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This patch provides an enum for the standardized HTTP status codes.
Additionally, the HTTP_STATUS_MAP(XX) can be used for other purposes as
well, such as code-to-name lookups and code-based switch statements.
PR-URL: https://github.com/nodejs/http-parser/pull/337
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Returning `2` from on_headers_complete will tell parser that it
should not expect neither a body nor any futher responses on
this connection. This is useful for handling responses to a
CONNECT request which may not contain `Upgrade` or
`Connection: upgrade` headers.
See: https://github.com/nodejs/node/pull/6198
PR-URL: https://github.com/nodejs/http-parser/pull/299
Reviewed-By: Brian White <mscdex@mscdex.net>
Fixes a header parsing bug for obstext characters (> 0x80)
Adaption of nodejs/node@954a4b4b:
Author: James M Snell <jasnell@gmail.com>
Date: Mon Feb 15 09:40:58 2016 -0800
deps: update to http-parser 2.6.2
Fixes http-parser regression with IS_HEADER_CHAR check
Add test case for obstext characters (> 0x80) is header
PR-URL: https://github.com/nodejs/node/pull/5237
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
PR-URL: https://github.com/nodejs/http-parser/pull/287
Reviewed-By: James M Snell <jasnell@gmail.com>
Includes parsing improvements to ensure closer HTTP spec conformance
Adaption of nodejs/node@4f4c8ab3b4cea246d2ece6ca006fe280241d84a4:
Author: James M Snell <jasnell@gmail.com>
Date: Wed Feb 3 17:28:48 2016 -0800
deps: update http-parser to version 2.6.1
includes parsing improvements to ensure closer HTTP spec conformance
PR-URL: https://github.com/nodejs/node-private/pull/26
Reviewed-By: Rod Vagg <r@va.gg>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/http-parser/pull/279
Reviewed-By: James M Snell <jasnell@gmail.com>
The struct must be zero-initialized, but this wasn't explicitly stated
anywhere in headers. Introduce `http_parser_url_init` API method that
will do it.
Fixes: #209
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
PR-URL: https://github.com/nodejs/http-parser/pull/225
Remove the HTTP_PARSER_DEBUG macro for two reasons:
* It changes the size of struct http_parser, resulting in spurious memory
corruption bugs if part of your application is built with HTTP_PARSER_DEBUG=1
and other parts with HTTP_PARSER_DEBUG=0.
* It's a debugging tool for maintainers. It should never have been exposed in
the API in the first place.
Fedor Indutny
Ben Noordhuis
cjihrig
Stefano Sambi
Stephan Gatzka
Nathaniel McCallum
Johan Bergström
James M Snell
Olivier Mengué
Andrew Udvare
Ivan Enderlin
Kjell Schubert
Romain Giraud
Jon Kolb
Marc O'Morain
Maciej Małecki
George Miroshnykov
Helge Heß
Vinnie Falco
Fedor Indutny
Patrik Stutz
Charlie Somerville
Tóth Tamás
James McLaughlin
Peter Faiman
BogDan Vatra