deps: backport f617ccc644 from uv upstream

[MylesBorins]

protect against realpath(3) exploit

ref: isaacs/node-glob#259 (comment)

Original commit message:

unix: error on realpath if PATH_MAX is undefined

Currently when PATH_MAX is undefined realpath will default to using 4096.
There is a potential stack overflow attack that can be mitigated by having
PATH_MAX defined. This change conservatively errors if a system does not
have PATH_MAX defined.

This change also explicitly includes `limits.h` to ensure that all platforms
have PATH_MAX defined if it is available.

Ref: http://pubs.opengroup.org/onlinepubs/9699919799/functions/realpath.html

Refs: nodejs/node#2680 (comment)
PR-URL: #843
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Saúl Ibarra Corretgé <saghul@gmail.com>

[MylesBorins]

/cc @jasnell I'd love to see this land for tomorrow's v6 release

[MylesBorins]

/cc @saghul

we should have a @nodejs/libuv 😄

[benjamingr]

I'm missing something - shouldn't it land in v6, but also in v5 and v4? Isn't this is a fix for a potential exploit and not a new feature or API breakage? Why would it be semver-major?

[MylesBorins]

@benjamingr this is only relevant to libuv 1.9 which hasn't landed in v4 or v5. If it is ever backported it would be a future version that came with this fix

edit: i've updated my comment above to be more explicit that I'd like to see included in the v6 release tomorrow

[ChALkeR]

+1 to including this into v6 as a safeguard.
Note that it doesn't break anything on our tested platforms.

[jbergstroem]

Shouldn't we wait for a new upstream and have that land instead? This will create discrepancies with using shared libraries.

[MylesBorins]

ci: https://ci.nodejs.org/job/node-test-pull-request/2396/
smoke-test: https://ci.nodejs.org/view/Node.js-citgm/job/thealphanerd-smoker/214/

[bnoordhuis]

See libuv/libuv#843 (comment) - I'd be chagrined if we get reports of broken builds because of a fix for an academic issue.

[ChALkeR]

@bnoordhuis But this issue isn't academic on systems where the build would break — those have PATH_MAX undefined.

Btw, is there a way to determine using ifdefs if passing a NULL to realpath(3) is supported? False negatives would be fine, false positive wouldn't.

[bnoordhuis]

It's academic because there is no platform that we support where PATH_MAX > 4096.

Btw, is there a way to determine using ifdefs if passing a NULL to realpath(3) is supported?

Not in a way that is 100% foolproof.

[saghul]

I've said this more than once already: please do not backport libuv fixes into Node.

The reasons are obvious: users won't know what is backported and what isn't, double bug reports, and so on. Let's not set that precedent.

[ChALkeR]

@bnoordhuis You are talking only about the platforms that we support, bu if this passes CI, then no platform that we support has PATH_MAX undefined. And we can't be sure about all the other platforms out there having PATH_MAX ≤ 4096.

[MylesBorins]

@saghul my apologies. I got over zealous in trying to chase down failures in our smoke tests (specifically the ones in node-glob).

I'm going to go ahead and close this since there is a possibility of it being reverted (or at least augmented).

libuv/libuv#843 (comment)

[saghul]

No problem. I know you had the best intentions, and sorry for my terse wording :-S