From f0049c483cb3a0ca407d9dac5b3432c383fe110c Mon Sep 17 00:00:00 2001 From: "Shuowang (Wayne) Zhang" Date: Tue, 11 Feb 2020 17:14:18 -0500 Subject: [PATCH] http: opt-in insecure HTTP header parsing Backport 496736f Original commit message: Allow insecure HTTP header parsing. Make clear it is insecure. See: - https://github.com/nodejs/node/pull/30553 - https://github.com/nodejs/node/issues/27711#issuecomment-556265881 - https://github.com/nodejs/node/issues/30515 PR-URL: https://github.com/nodejs/node/pull/30567 Backport-PR-URL: https://github.com/nodejs/node/pull/30473 Reviewed-By: Fedor Indutny Reviewed-By: Anna Henningsen Reviewed-By: Denys Otrishko Reviewed-By: James M Snell --- doc/api/cli.md | 12 ++++++++++++ doc/node.1 | 7 +++++++ lib/_http_client.js | 7 +++++-- lib/_http_common.js | 13 ++++++++++++- lib/_http_server.js | 9 +++++++-- src/node.cc | 13 +++++++++++++ src/node_http_parser.cc | 8 +++++--- 7 files changed, 61 insertions(+), 8 deletions(-) diff --git a/doc/api/cli.md b/doc/api/cli.md index c130f1a51dbc..8caa143bfbbc 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -131,6 +131,17 @@ Useful when activating the inspector by sending the `SIGUSR1` signal. Default host is 127.0.0.1. +### `--insecure-http-parser` + + +Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow +interoperability with non-conformant HTTP implementations. It may also allow +request smuggling and other HTTP attacks that rely on invalid headers being +accepted. Avoid using this option. + + ### `--no-deprecation`