Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
nodejs8.17837
CVE-2020-8287.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-8287.patch of Package nodejs8.17837
commit fc70ce08f5818a286fb5899a1bc3aff5965a745e Author: Fedor Indutny <fedor@indutny.com> Date: Wed Nov 18 20:50:21 2020 -0800 http: unset `F_CHUNKED` on new `Transfer-Encoding` Duplicate `Transfer-Encoding` header should be a treated as a single, but with original header values concatenated with a comma separator. In the light of this, even if the past `Transfer-Encoding` ended with `chunked`, we should be not let the `F_CHUNKED` to leak into the next header, because mere presence of another header indicates that `chunked` is not the last transfer-encoding token. CVE-ID: CVE-2020-8287 PR-URL: https://github.com/nodejs-private/node-private/pull/235 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> commit aa6b97fb99d7528649fadb4c6a894e078fe4323c Author: Richard Lau <rlau@redhat.com> Date: Thu Nov 26 15:50:56 2020 +0000 http: add test for http transfer encoding smuggling Refs: https://github.com/nodejs-private/node-private/pull/228 Refs: https://hackerone.com/bugs?report_id=1002188&subject=nodejs PR-URL: https://github.com/nodejs-private/node-private/pull/235 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Index: node-v8.17.0/test/parallel/test-http-transfer-encoding-smuggling.js =================================================================== --- /dev/null +++ node-v8.17.0/test/parallel/test-http-transfer-encoding-smuggling.js @@ -0,0 +1,46 @@ +'use strict'; + +const common = require('../common'); + +const assert = require('assert'); +const http = require('http'); +const net = require('net'); + +const msg = [ + 'POST / HTTP/1.1', + 'Host: 127.0.0.1', + 'Transfer-Encoding: chunked', + 'Transfer-Encoding: chunked-false', + 'Connection: upgrade', + '', + '1', + 'A', + '0', + '', + 'GET /flag HTTP/1.1', + 'Host: 127.0.0.1', + '', + '', +].join('\r\n'); + +// Verify that the server is called only once even with a smuggled request. + +const server = http.createServer(common.mustCall((req, res) => { + res.end(); +}, 1)); + +function send(next) { + const client = net.connect(server.address().port, 'localhost'); + client.setEncoding('utf8'); + client.on('error', common.mustNotCall()); + client.on('end', next); + client.write(msg); + client.resume(); +} + +server.listen(0, common.mustCall((err) => { + assert.ifError(err); + send(common.mustCall(() => { + server.close(); + })); +})); Index: node-v8.17.0/deps/http_parser/http_parser.c =================================================================== --- node-v8.17.0.orig/deps/http_parser/http_parser.c +++ node-v8.17.0/deps/http_parser/http_parser.c @@ -1339,6 +1339,13 @@ reexecute: } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { parser->header_state = h_transfer_encoding; parser->flags |= F_TRANSFER_ENCODING; + + /* Multiple `Transfer-Encoding` headers should be treated as + * one, but with values separate by a comma. + * + * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 + */ + parser->flags &= ~F_CHUNKED; } break; Index: node-v8.17.0/deps/http_parser/test.c =================================================================== --- node-v8.17.0.orig/deps/http_parser/test.c +++ node-v8.17.0/deps/http_parser/test.c @@ -2045,6 +2045,58 @@ const struct message responses[] = ,.body= "2\r\nOK\r\n0\r\n\r\n" ,.num_chunks_complete= 0 } +#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 +, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" + ,.type= HTTP_RESPONSE + ,.raw= "HTTP/1.1 200 OK\r\n" + "Transfer-Encoding: chunked\r\n" + "Transfer-Encoding: identity\r\n" + "\r\n" + "2\r\n" + "OK\r\n" + "0\r\n" + "\r\n" + ,.should_keep_alive= FALSE + ,.message_complete_on_eof= TRUE + ,.http_major= 1 + ,.http_minor= 1 + ,.status_code= 200 + ,.response_status= "OK" + ,.content_length= -1 + ,.num_headers= 2 + ,.headers= + { { "Transfer-Encoding", "chunked" } + , { "Transfer-Encoding", "identity" } + } + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } +#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 +, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" + ,.type= HTTP_RESPONSE + ,.raw= "HTTP/1.1 200 OK\r\n" + "Transfer-Encoding: chunked\r\n" + "Transfer-Encoding: identity\r\n" + "\r\n" + "2\r\n" + "OK\r\n" + "0\r\n" + "\r\n" + ,.should_keep_alive= FALSE + ,.message_complete_on_eof= TRUE + ,.http_major= 1 + ,.http_minor= 1 + ,.status_code= 200 + ,.response_status= "OK" + ,.content_length= -1 + ,.num_headers= 2 + ,.headers= + { { "Transfer-Encoding", "chunked" } + , { "Transfer-Encoding", "identity" } + } + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } }; /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor