deps: update llhttp to 2.0.1#30553
Closed
deps: update llhttp to 2.0.1 #30553
Uh oh!
There was an error while loading. Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
MemberAuthor
indutny commented Nov 20, 2019
Note that despite major version bump in llhttp - it doesn't have to be semver major for Node.js since llhttp's 2.x API are backwards compatible to 1.x |
MemberAuthor
indutny commented Nov 20, 2019
After landing this PR it might make sense to re-introduce lenient parsing mode. |
devsnek added http 
devsnek approved these changes Nov 20, 2019
gengjiawen approved these changes Nov 20, 2019
Collaborator
nodejs-github-bot commented Nov 20, 2019
Contributor
mscdex commented Nov 20, 2019
s/llhtp/llhttp/ in commit message |
indutnyforce-pushed the feature/llhttp-2.0 branch from aa937ad to d1049a8CompareMemberAuthor
indutny commented Nov 20, 2019
@mscdex good catch, thank you! |
addaleax approved these changes Nov 20, 2019
bnoordhuis approved these changes Nov 20, 2019
devnexen approved these changes Nov 20, 2019
cjihrig approved these changes Nov 20, 2019
4 tasks
MemberAuthor
indutny commented Nov 21, 2019 via email
Looks like I’ve missed an edge case in llhttp. The lenient parsing flag resets after a single request/response. Please do not land this until the fix will be complete. …On Wed, Nov 20, 2019 at 06:25 Colin Ihrig ***@***.***> wrote: ***@***.**** approved this pull request. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#30553?email_source=notifications&email_token=AAB2HQZAKEOAFXHGDRY6XBTQUVCFNA5CNFSM4JPMOULKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCMIPBOA#pullrequestreview-319877304>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAB2HQYEGHE2VIE54PLLUETQUVCFNANCNFSM4JPMOULA> . |
MemberAuthor
indutny commented Nov 21, 2019
Here is a pull request to address this: nodejs/llhttp#34 |
indutnyforce-pushed the feature/llhttp-2.0 branch from d1049a8 to 0226624CompareMemberAuthor
indutny commented Nov 21, 2019
I've force pushed the branch with an update to 2.0.1, which includes the fix for aforementioned issue. Thank you for waiting, y'all! |
gajus commented Nov 22, 2019
Is still planned for v13.3.0? |
Collaborator
nodejs-github-bot commented Nov 25, 2019
Collaborator
nodejs-github-bot commented Nov 26, 2019
Closed
BethGriggs added a commit that referenced this pull request Dec 9, 2019
Notable changes: - crypto: fix key requirements in asymmetric cipher (Tobias Nießen) #30249 - deps: - update llhttp to 2.0.1 (Fedor Indutny) #30553 - upgrade npm to 6.13.1 (claudiahdz) #30533 - update nghttp2 to 1.40.0 (gengjiawen) #30493 - v8: mark serdes API as stable (Anna Henningsen) #30234 PR-URL: #30865
sam-github added a commit that referenced this pull request Dec 9, 2019
Allow insecure HTTP header parsing. Make clear it is insecure. See: - #30553 - #27711 (comment) - #30515 PR-URL: #30567 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Denys Otrishko <[email protected]> Reviewed-By: James M Snell <[email protected]>
targos pushed a commit that referenced this pull request Dec 10, 2019
Allow insecure HTTP header parsing. Make clear it is insecure. See: - #30553 - #27711 (comment) - #30515 PR-URL: #30567 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Denys Otrishko <[email protected]> Reviewed-By: James M Snell <[email protected]>
MylesBorins pushed a commit that referenced this pull request Dec 17, 2019
Changelog: * Optional SSE4.2 support (at compile time) * Lenient mode of operation PR-URL: #30553 Reviewed-By: Gus Caplan <[email protected]> Reviewed-By: Jiawen Geng <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: David Carlier <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Myles Borins <[email protected]>
Merged
sam-github added a commit to sam-github/node that referenced this pull request Jan 10, 2020
Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Denys Otrishko <[email protected]> Reviewed-By: James M Snell <[email protected]>
sam-github added a commit to sam-github/node that referenced this pull request Jan 10, 2020
Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Denys Otrishko <[email protected]> Reviewed-By: James M Snell <[email protected]>
targos pushed a commit that referenced this pull request Jan 14, 2020
Allow insecure HTTP header parsing. Make clear it is insecure. See: - #30553 - #27711 (comment) - #30515 PR-URL: #30567 Backport-PR-URL: #30473 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Denys Otrishko <[email protected]> Reviewed-By: James M Snell <[email protected]>
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 11, 2020
Backport 496736f Original commit message: Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs/node#30553 - nodejs/node#27711 (comment) - nodejs/node#30515 PR-URL: nodejs/node#30567 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Denys Otrishko <[email protected]> Reviewed-By: James M Snell <[email protected]>
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 12, 2020
Backport 496736f Original commit message: Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs/node#30553 - nodejs/node#27711 (comment) - nodejs/node#30515 PR-URL: nodejs/node#30567 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Denys Otrishko <[email protected]> Reviewed-By: James M Snell <[email protected]>
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 12, 2020
Backport 496736f Original commit message: Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs/node#30553 - nodejs/node#27711 (comment) - nodejs/node#30515 PR-URL: nodejs/node#30567 Backport-PR-URL: nodejs/node#30473 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Denys Otrishko <[email protected]> Reviewed-By: James M Snell <[email protected]>
BaochengSu added a commit to BaochengSu/node that referenced this pull request Oct 21, 2020
Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch Original commit message: commit e2c8f89 Author: Sam Roberts <[email protected]> Date: Thu Jan 16 11:55:52 2020 -0800 test: using TE to smuggle reqs is not possible See: https://hackerone.com/reports/735748 PR-URL: https://github.com/nodejs-private/node-private/pull/192 Reviewed-By: Beth Griggs <[email protected]> commit 49f4220 Author: Sam Roberts <[email protected]> Date: Tue Feb 4 10:36:57 2020 -0800 deps: upgrade http-parser to v2.9.3 PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sam Roberts <[email protected]> commit d616722 Author: Sam Roberts <[email protected]> Date: Tue Jan 7 14:24:54 2020 -0800 test: check that --insecure-http-parser works Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs#30567 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#31253 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> commit a9849c0 Author: Sam Roberts <[email protected]> Date: Wed Nov 20 11:48:58 2019 -0800 http: opt-in insecure HTTP header parsing Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Denys Otrishko <[email protected]> Reviewed-By: James M Snell <[email protected]> commit a28e5cc Author: Sam Roberts <[email protected]> Date: Wed Nov 13 10:05:38 2019 -0800 deps: upgrade http-parser to v2.9.1 PR-URL: nodejs#30471 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Jiawen Geng <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Signed-off-by: Su Baocheng <[email protected]>
BaochengSu added a commit to BaochengSu/node that referenced this pull request Jul 14, 2022
Ported from OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch Original commit message: commit e2c8f89 Author: Sam Roberts <[email protected]> Date: Thu Jan 16 11:55:52 2020 -0800 test: using TE to smuggle reqs is not possible See: https://hackerone.com/reports/735748 PR-URL: https://github.com/nodejs-private/node-private/pull/192 Reviewed-By: Beth Griggs <[email protected]> commit 49f4220 Author: Sam Roberts <[email protected]> Date: Tue Feb 4 10:36:57 2020 -0800 deps: upgrade http-parser to v2.9.3 PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sam Roberts <[email protected]> commit d616722 Author: Sam Roberts <[email protected]> Date: Tue Jan 7 14:24:54 2020 -0800 test: check that --insecure-http-parser works Test that using --insecure-http-parser will disable validation of invalid characters in HTTP headers. See: - nodejs#30567 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#31253 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> commit a9849c0 Author: Sam Roberts <[email protected]> Date: Wed Nov 20 11:48:58 2019 -0800 http: opt-in insecure HTTP header parsing Allow insecure HTTP header parsing. Make clear it is insecure. See: - nodejs#30553 - nodejs#27711 (comment) - nodejs#30515 Backport-PR-URL: nodejs#30471 PR-URL: nodejs#30567 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Denys Otrishko <[email protected]> Reviewed-By: James M Snell <[email protected]> commit a28e5cc Author: Sam Roberts <[email protected]> Date: Wed Nov 13 10:05:38 2019 -0800 deps: upgrade http-parser to v2.9.1 PR-URL: nodejs#30471 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Jiawen Geng <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Signed-off-by: Su Baocheng <[email protected]>
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changelog:
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passescc @nodejs/http @addaleax@bnoordhuis