http: check for existance in resetHeadersTimeoutOnReqEnd #26402
Conversation
|
cc @nodejs/http @nodejs/lts @nodejs/release we would likely have to backport this down to 6 for safety, given that we do not know how this condition is triggered. |
|
@richardlau good spot! Fixed. |
|
Optional typo fix for commit title: s/existance/existence/ |
|
Here's a test that reproduces the error in #26366 in current master. 'use strict';
require('../common');
const http = require('http');
const server = http.createServer((req, res) => {
res.writeHead(200, { 'Content-Type': 'text/plain' });
res.write('okay', () => { delete res.socket.parser });
res.end();
});
server.listen(1337, '127.0.0.1');
const req = http.request({
port: 1337,
host: '127.0.0.1',
method: 'GET',
});
req.end(); |
|
Is it worth adding the code in the previous comment (or something like it) as a test? |
|
I think so. However it’s not clear if we are doing it in core or not, or it is just user specific (somehow). |
|
By the way, #26404 is basically the same thing but on the client end rather than the server end. |
| @@ -755,7 +755,7 @@ function resetHeadersTimeoutOnReqEnd() { | |||
| const parser = this.socket.parser; | |||
| // Parser can be null if the socket was destroyed | |||
| // in that case, there is nothing to do. | |||
| if (parser !== null) { | |||
| if (parser) { | |||
There was a problem hiding this comment.
Changing to parser != null would work also and be a bit safer
|
The overall problem with supporting a “delete” case is that it could trigger the vulnerability we are trying to protect against. |
socket.parser can be undefined under unknown circumstances. This is a fix for a bug I cannot reproduce but it is affecting people. Fixes: nodejs#26366
|
Landed in 3c83f93 |
|
@nodejs/lts this should be backported asap to all lines. |
socket.parser can be undefined under unknown circumstances. This is a fix for a bug I cannot reproduce but it is affecting people. Fixes: nodejs#26366 PR-URL: nodejs#26402 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Probably too late for 11.11.0, but ping @BridgeAR. |
|
@richardlau I would rather pull that into the release afterwards. |
|
I've finally found the root issue behind #26366 or better in https://github.com/eggjs/egg-socket.io. The problem is that our There is nothing wrong with this fix but the problem is in egg-socket.io and may arise again. I think the regression test added here does not make much sense. |
socket.parser can be undefined under unknown circumstances. This is a fix for a bug I cannot reproduce but it is affecting people. Fixes: nodejs#26366 PR-URL: nodejs#26402 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
socket.parser can be undefined under unknown circumstances.
This is a fix for a bug I cannot reproduce but it is affecting
people.
Fixes: #26366
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes