Before this commit `Content-Length: 4 2` was accepted as a valid header
and recorded as `parser->content_length = 42`. Now it is a parse error
that fails with error `HPE_INVALID_CONTENT_LENGTH`.
Downstream users that inspect `parser->content_length` and naively parse
the string value using `strtoul()` might get confused by the discrepancy
between the two values. Resolve that by simply not letting it happen.
Fixes: https://github.com/nodejs-private/security/issues/178
PR-URL: https://github.com/nodejs-private/http-parser-private/pull/1
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
`strtoul` will attempt to lookup the next digit up until it will stumble
upon an invalid one. However, for an unterminated string as an input
value, this results in out-of-bounds read.
Remove `strtoul` call, and replace it with simple loop.
Fix: #408
PR-URL: https://github.com/nodejs/http-parser/pull/409
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The boilerplate included attribution to NGINX that created confusion
because NGINX is distributed under a different license (BSD, not MIT.)
To the best of everyone's knowledge, no actual NGINX code remains.
Remove the attribution to clear up the confusion.
Fixes: https://github.com/nodejs/http-parser/issues/389
PR-URL: https://github.com/nodejs/http-parser/pull/390
Reviewed-By: Fedor Indutny <fedor@indutny.com>
can use same switch-lookup for '-' char case
move PROPFIND and PURGE to be next to the other P methods
change IS_ALPHA(ch) to A <= ch <= Z
(very slight optimization, only uppercase will match in switch)
PR-URL: https://github.com/nodejs/http-parser/pull/323
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
- original fix is from daeon: https://github.com/daeon/http-parser/
"Tolerate web servers which do not return a status message in the
return response.
I have noticed this usse on several websites such downloads from
mediafire.com"
- original pull request: https://github.com/nodejs/http-parser/pull/254
- i merely added the status_cb_called unit test check, there already
is a test that triggers this without the patch (a 301 without a
reason phrase).
PR-URL: https://github.com/nodejs/http-parser/pull/367
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Only one digit is allowed for the major version and only one is
allowed for the minor version according to RFC 7230.
PR-URL: https://github.com/nodejs/http-parser/pull/366
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Microsoft C++ compiler fails when this assert appears before the
declarations. Moved assert to appear after the declarations.
PR-URL: https://github.com/nodejs/http-parser/pull/293
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Returning `2` from on_headers_complete will tell parser that it
should not expect neither a body nor any futher responses on
this connection. This is useful for handling responses to a
CONNECT request which may not contain `Upgrade` or
`Connection: upgrade` headers.
See: https://github.com/nodejs/node/pull/6198
PR-URL: https://github.com/nodejs/http-parser/pull/299
Reviewed-By: Brian White <mscdex@mscdex.net>
Fixes a header parsing bug for obstext characters (> 0x80)
Adaption of nodejs/node@954a4b4b:
Author: James M Snell <jasnell@gmail.com>
Date: Mon Feb 15 09:40:58 2016 -0800
deps: update to http-parser 2.6.2
Fixes http-parser regression with IS_HEADER_CHAR check
Add test case for obstext characters (> 0x80) is header
PR-URL: https://github.com/nodejs/node/pull/5237
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
PR-URL: https://github.com/nodejs/http-parser/pull/287
Reviewed-By: James M Snell <jasnell@gmail.com>
Use a switch and a macro to branch parsing of HTTP methods.
Easier to read and much shorter.
In this commit, the order of branches dispatching is the same as in the
original code, to ease review. Reordering branches by descending
frequency will improve speed too.
PR-URL: https://github.com/nodejs/http-parser/pull/273
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Includes parsing improvements to ensure closer HTTP spec conformance
Adaption of nodejs/node@4f4c8ab3b4cea246d2ece6ca006fe280241d84a4:
Author: James M Snell <jasnell@gmail.com>
Date: Wed Feb 3 17:28:48 2016 -0800
deps: update http-parser to version 2.6.1
includes parsing improvements to ensure closer HTTP spec conformance
PR-URL: https://github.com/nodejs/node-private/pull/26
Reviewed-By: Rod Vagg <r@va.gg>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/http-parser/pull/279
Reviewed-By: James M Snell <jasnell@gmail.com>
The struct must be zero-initialized, but this wasn't explicitly stated
anywhere in headers. Introduce `http_parser_url_init` API method that
will do it.
Fixes: #209
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
PR-URL: https://github.com/nodejs/http-parser/pull/225
IPv6 scoped address contains Zone ID, which is appended to IPv6
address after '%' separator. RFC 6874 says that Zone ID after '%'
must consist of 1*(unreserved or pct-encoded). This commit adds this
IPv6 Zone ID support.
PR-URL: https://github.com/joyent/http-parser/pull/253
Reviewed-By: Fedor Indutny <fedor@indutny.com>
http_parse_host() depends on `u->field_data[UF_HOST]`, but this
if() allowed the method to be called if only
`u->field_data[UF_SCHEMA]` was set, resulting in use of
unintialized pointers.
PR-URL: https://github.com/joyent/http-parser/pull/246
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Do explicit casts from/to enums, convert type of `memchr`'s return value
to `const char*`.
PR-URL: https://github.com/joyent/http-parser/pull/213
Reviewed-By: Bert Belder <bertbelder@gmail.com>
RFC-7230 Sec 3.2.4 expressly forbids line-folding in header
field-names.
This change no longer allows obsolete line-folding between the
header field-name and the colon. If HTTP_PARSER_STRICT is unset,
the parser still allows space characters.
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Always discard leading whitespace in a header value, even if it
is folded.
Pay attention to values of interesting headers (Connection,
Content-Length, etc.) even when they come on a continuation line.
Add a test case to check that requests and responses using only LF
to separate lines are handled correctly.
The support for folding of multi-line header values does not conform
to the specs. Given a request containing
Multi-Line-Header: foo<CRLF>
bar<CRLF>
http-parser will eliminate the whitespace breaking the header value to
yield a header value of "foobar". This is confirmed by the
LINE_FOLDING_IN_HEADER case in tests.c.
But from rfc2616, section 2.2:
A CRLF is allowed in the definition of TEXT only as part of a header
field continuation. It is expected that the folding LWS will be
replaced with a single SP before interpretation of the TEXT value.
And from draft-ietf-httpbis-p1-messaging-25, section 3.2.4:
A server that receives an obs-fold in a request message that is not
within a message/http container MUST either reject the message by
sending a 400 (Bad Request), preferably with a representation
explaining that obsolete line folding is unacceptable, or replace
each received obs-fold with one or more SP octets prior to
interpreting the field value or forwarding the message downstream.
So in the example above, the header value should be interpreted as
"foo bar", possibly with multiple spaces. The current http-parser
behaviour of eliminating the LWS altogether clearly deviates from the
specs.
For http-parser itself to confirm exactly would involve significant
changes in order to synthesize replacement SP octets. Such changes
are unlikely to be worth it to support what is an obscure and
deprecated feature. But http-parser should at least preserve some
separating whitespace when folding multi-line header values, so that
applications using http-parser can conform to the specs.
This commit is a minimal change to preserve whitespace when folding
lines. It eliminates the CRLF, but retains any trailing and leading
whitespace in the header value.
The HTTP_MAX_HEADER_SIZE check is not there to guard against
buffer overflows, it's there to protect unwitting embedders
against denial-of-service attacks.
Ben Noordhuis
Fedor Indutny
Pierce Lopez
André Klitzing
Thomas 'fake' Jakobi
Brian White
Jonathan Marler
Johan Bergström
Olivier Mengué
James M Snell
Sebastian Philipp
Ivan Enderlin
Tatsuhiro Tsujikawa
dlmeetei@gmail.com
Jan Schär
Daniel Knoppel (Phusion)
Kjell Schubert
Romain Giraud
Jon Kolb
Jeff Pinner
Alexis La Goutte
Helge Heß
Vinnie Falco
David Wragg
Alexis Campailla
Patrik Stutz
Chris Dickinson