Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
nodejs4.9929
CVE-2018-12116.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2018-12116.patch of Package nodejs4.9929
Ported from following patches, http: disallow two-byte characters in URL path CVE-2018-12116 Backport of b961d9f to 6.x Original commit: This commit changes node's handling of two-byte characters in the path component of an http URL. Previously, node would just strip the higher byte when generating the request. So this code: ``` http.request({host: "example.com", port: "80", "/N"}) ``` would request `http://example.com/.` (`.` is the character for the byte `0x2e`). This is not useful and can in some cases lead to filter evasion. With this change, the code generates `ERR_UNESCAPED_CHARACTERS`, just like space and control characters already did. PR-URL: #16237 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Timothy Gu <timothygu99@gmail.com> PR-URL: nodejs-private/node-private#146 Fixes: nodejs-private/security#207 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Timothy Gu <timothygu99@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> From 35344e87bfc7c01079502850ce023e781a85db2d Mon Sep 17 00:00:00 2001 From: James M Snell <jasnell@gmail.com> Date: Wed, 16 Aug 2017 09:34:37 -0700 Subject: [PATCH] src: minor cleanup for node_revert Make the revert related functions inline to eliminate the need for node_revert.cc, prefitx the constants and the def, other misc cleanup PR-URL: https://github.com/nodejs/node/pull/14864 Reviewed-By: Anna Henningsen <anna@addaleax.net> From dd20c0186fab9dd92b42f280b8d2b6f980f6b406 Mon Sep 17 00:00:00 2001 From: Matteo Collina <hello@matteocollina.com> Date: Thu, 20 Sep 2018 15:02:26 +0200 Subject: [PATCH] http: add --security-revert for CVE-2018-12116 PR-URL: https://github.com/nodejs-private/node-private/pull/146 Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Timothy Gu <timothygu99@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Index: node-v4.9.1/lib/_http_client.js =================================================================== --- node-v4.9.1.orig/lib/_http_client.js +++ node-v4.9.1/lib/_http_client.js @@ -14,6 +14,10 @@ const OutgoingMessage = require('_http_o const Agent = require('_http_agent'); const Buffer = require('buffer').Buffer; +const REVERT_CVE_2018_12116 = process.REVERT_CVE_2018_12116; + +const INVALID_PATH_REGEX = /[^\u0021-\u00ff]/; + function ClientRequest(options, cb) { var self = this; @@ -40,15 +44,21 @@ function ClientRequest(options, cb) { if (self.agent && self.agent.protocol) expectedProtocol = self.agent.protocol; - if (options.path && /[\u0000-\u0020]/.test(options.path)) { - // The actual regex is more like /[^A-Za-z0-9\-._~!$&'()*+,;=/:@]/ - // with an additional rule for ignoring percentage-escaped characters - // but that's a) hard to capture in a regular expression that performs - // well, and b) possibly too restrictive for real-world usage. That's - // why it only scans for spaces because those are guaranteed to create - // an invalid request. - throw new TypeError('Request path contains unescaped characters.'); - } else if (protocol !== expectedProtocol) { + var path; + if (options.path) { + path = String(options.path); + var invalidPath; + if (REVERT_CVE_2018_12116) { + invalidPath = /[\u0000-\u0020]/.test(path); + } else { + invalidPath = INVALID_PATH_REGEX.test(path); + } + + if (invalidPath) + throw new TypeError('Request path contains unescaped characters'); + } + + if (protocol !== expectedProtocol) { throw new Error('Protocol "' + protocol + '" not supported. ' + 'Expected "' + expectedProtocol + '".'); } Index: node-v4.9.1/test/parallel/test-http-client-invalid-path.js =================================================================== --- /dev/null +++ node-v4.9.1/test/parallel/test-http-client-invalid-path.js @@ -0,0 +1,13 @@ +'use strict'; + +require('../common'); + +const http = require('http'); +const assert = require('assert'); + +assert.throws(() => { + http.request({ + path: '/thisisinvalid\uffe2' + }).end(); +}, /Request path contains unescaped characters/); + Index: node-v4.9.1/node.gyp =================================================================== --- node-v4.9.1.orig/node.gyp +++ node-v4.9.1/node.gyp @@ -152,7 +152,6 @@ 'src/node_javascript.cc', 'src/node_main.cc', 'src/node_os.cc', - 'src/node_revert.cc', 'src/node_util.cc', 'src/node_v8.cc', 'src/node_stat_watcher.cc', Index: node-v4.9.1/src/node.cc =================================================================== --- node-v4.9.1.orig/src/node.cc +++ node-v4.9.1/src/node.cc @@ -153,6 +153,9 @@ static node_module* modlist_builtin; static node_module* modlist_linked; static node_module* modlist_addon; +// Bit flag used to track security reverts (see node_revert.h) +unsigned int reverted = 0; + #if defined(NODE_HAVE_I18N_SUPPORT) // Path to ICU data (for i18n / Intl) static const char* icu_data_dir = nullptr; @@ -3126,11 +3129,11 @@ void SetupProcessObject(Environment* env // --security-revert flags #define V(code, _, __) \ do { \ - if (IsReverted(REVERT_ ## code)) { \ + if (IsReverted(SECURITY_REVERT_ ## code)) { \ READONLY_PROPERTY(process, "REVERT_" #code, True(env->isolate())); \ } \ } while (0); - REVERSIONS(V) + SECURITY_REVERSIONS(V) #undef V size_t exec_path_len = 2 * PATH_MAX; Index: node-v4.9.1/src/node_revert.cc =================================================================== --- node-v4.9.1.orig/src/node_revert.cc +++ /dev/null @@ -1,53 +0,0 @@ -#include "node_revert.h" -#include <stdio.h> -#include <string.h> - -namespace node { - -unsigned int reverted = 0; - -const char* RevertMessage(const unsigned int cve) { -#define V(code, label, msg) case REVERT_ ## code: return label ": " msg; - switch (cve) { - REVERSIONS(V) - default: - return "Unknown"; - } -#undef V -} - -void Revert(const unsigned int cve) { - reverted |= 1 << cve; - printf("SECURITY WARNING: Reverting %s\n", RevertMessage(cve)); -} - -void Revert(const char* cve) { -#define V(code, label, _) \ - do { \ - if (strcmp(cve, label) == 0) { \ - Revert(static_cast<unsigned int>(REVERT_ ## code)); \ - return; \ - } \ - } while (0); - REVERSIONS(V) -#undef V - printf("Error: Attempt to revert an unknown CVE [%s]\n", cve); - exit(12); -} - -bool IsReverted(const unsigned int cve) { - return reverted & (1 << cve); -} - -bool IsReverted(const char * cve) { -#define V(code, label, _) \ - do { \ - if (strcmp(cve, label) == 0) \ - return IsReverted(static_cast<unsigned int>(REVERT_ ## code)); \ - } while (0); - REVERSIONS(V) - return false; -#undef V -} - -} // namespace node Index: node-v4.9.1/src/node_revert.h =================================================================== --- node-v4.9.1.orig/src/node_revert.h +++ node-v4.9.1/src/node_revert.h @@ -2,6 +2,7 @@ #define SRC_NODE_REVERT_H_ #include "node.h" +#include <string.h> /** * Note that it is expected for this list to vary across specific LTS and @@ -10,33 +11,56 @@ * consensus. * * For *master* this list should always be empty! - * **/ -#define REVERSIONS(XX) \ - XX(CVE_2016_2216, "CVE-2016-2216", "Strict HTTP Header Parsing") - namespace node { -typedef enum { -#define V(code, _, __) REVERT_ ## code, - REVERSIONS(V) +#define SECURITY_REVERSIONS(XX) \ + XX(CVE_2016_2216, "CVE-2016-2216", "Strict HTTP Header Parsing") \ + XX(CVE_2018_12116, "CVE-2018-12116", "HTTP request splitting") + +enum reversion { +#define V(code, ...) SECURITY_REVERT_##code, + SECURITY_REVERSIONS(V) #undef V -} reversions_t; +}; -/* A bit field for tracking the active reverts */ extern unsigned int reverted; -/* Revert the given CVE (see reversions_t enum) */ -void Revert(const unsigned int cve); - -/* Revert the given CVE by label */ -void Revert(const char* cve); - -/* true if the CVE has been reverted **/ -bool IsReverted(const unsigned int cve); +inline const char* RevertMessage(const reversion cve) { +#define V(code, label, msg) case SECURITY_REVERT_##code: return label ": " msg; + switch (cve) { + SECURITY_REVERSIONS(V) + default: + return "Unknown"; + } +#undef V +} -/* true if the CVE has been reverted **/ -bool IsReverted(const char * cve); +inline void Revert(const reversion cve) { + reverted |= 1 << cve; + printf("SECURITY WARNING: Reverting %s\n", RevertMessage(cve)); +} + +inline void Revert(const char* cve) { +#define V(code, label, _) \ + if (strcmp(cve, label) == 0) return Revert(SECURITY_REVERT_##code); + SECURITY_REVERSIONS(V) +#undef V + printf("Error: Attempt to revert an unknown CVE [%s]\n", cve); + exit(12); +} + +inline bool IsReverted(const reversion cve) { + return reverted & (1 << cve); +} + +inline bool IsReverted(const char* cve) { +#define V(code, label, _) \ + if (strcmp(cve, label) == 0) return IsReverted(SECURITY_REVERT_##code); + SECURITY_REVERSIONS(V) + return false; +#undef V +} } // namespace node Index: node-v4.9.1/src/node_http_parser.cc =================================================================== --- node-v4.9.1.orig/src/node_http_parser.cc +++ node-v4.9.1/src/node_http_parser.cc @@ -679,7 +679,7 @@ class Parser : public AsyncWrap { void Init(enum http_parser_type type) { http_parser_init(&parser_, type); /* Allow the strict http header parsing to be reverted */ - parser_.lenient_http_headers = IsReverted(REVERT_CVE_2016_2216) ? 1 : 0; + parser_.lenient_http_headers = IsReverted(SECURITY_REVERT_CVE_2016_2216) ? 1 : 0; url_.Reset(); status_message_.Reset(); num_fields_ = 0;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor