From 496736ff786242a36c5f4e432ce2e4a4e684ef72 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Wed, 20 Nov 2019 11:48:58 -0800 Subject: [PATCH] http: opt-in insecure HTTP header parsing Allow insecure HTTP header parsing. Make clear it is insecure. See: - https://github.com/nodejs/node/pull/30553 - https://github.com/nodejs/node/issues/27711#issuecomment-556265881 - https://github.com/nodejs/node/issues/30515 PR-URL: https://github.com/nodejs/node/pull/30567 Backport-PR-URL: https://github.com/nodejs/node/pull/30473 Reviewed-By: Fedor Indutny Reviewed-By: Anna Henningsen Reviewed-By: Denys Otrishko Reviewed-By: James M Snell --- doc/api/cli.md | 11 +++++++++++ doc/node.1 | 6 ++++++ lib/_http_client.js | 4 +++- lib/_http_common.js | 12 ++++++++++++ lib/_http_server.js | 4 +++- src/node_http_parser_impl.h | 7 +++++-- src/node_options.cc | 4 ++++ src/node_options.h | 2 ++ 8 files changed, 46 insertions(+), 4 deletions(-) diff --git a/doc/api/cli.md b/doc/api/cli.md index f9eb87e2b70..b70845cffc2 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -420,6 +420,16 @@ added: v9.0.0 Specify the `module` of a custom [experimental ECMAScript Module][] loader. `module` may be either a path to a file, or an ECMAScript Module name. +### `--insecure-http-parser` + + +Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow +interoperability with non-conformant HTTP implementations. It may also allow +request smuggling and other HTTP attacks that rely on invalid headers being +accepted. Avoid using this option. + ### `--max-http-header-size=size`