Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

polling connection request.headers.origin has invalid characters cause uncaughtException throw #517

Closed
1 task done
ttol66 opened this issue Jul 10, 2017 · 1 comment · Fixed by #531
Closed
1 task done

polling connection request.headers.origin has invalid characters cause uncaughtException throw #517

ttol66 opened this issue Jul 10, 2017 · 1 comment · Fixed by #531

Comments

@ttol66
Copy link

ttol66 commented Jul 10, 2017
edited
Loading

You want to:

  • report a bug

Current behaviour

polling connection request.headers.origin has invalid characters cause uncaughtException throw.

error stack:

TypeError: The header content contains invalid characters
    at storeHeader (_http_outgoing.js:319:11)
    at ServerResponse.OutgoingMessage._storeHeader (_http_outgoing.js:228:9)
    at ServerResponse.writeHead (_http_server.js:221:8)
    at IncomingMessage.onEnd (/opt/pushnode/node_modules/engine.io/lib/transports/polling.js:180:9)
    at emitNone (events.js:86:13)
    at IncomingMessage.emit (events.js:185:7)
    at endReadableNT (_stream_readable.js:974:12)
    at _combinedTickCallback (internal/process/next_tick.js:80:11)
    at process._tickDomainCallback (internal/process/next_tick.js:128:9)

Steps to reproduce (if the current behaviour is a bug)

  1. start a socket.io server
  2. send a polling connection request, headers.origin contain invalid characters(\x027)
echo -en "GET /socket.io/?rid=0&EIO=3&transport=polling HTTP/1.1\r\nHost: 127.0.0.1:3000\r\nOrigin:\x027.com\r\n\r\n" | nc 127.0.0.1 3000

Expected behaviour

disconnect client connection , don't throw error, maybe emit an error event

Setup

  • OS: Ubuntu 16.04.2 LTS , NodeJs v6.10.3
  • browser:
  • engine.io version: 1.6.8 (socket.io 1.4.5)

Other information (e.g. stacktraces, related issues, suggestions how to fix)

check headers.origin value before writeHeader() or just wrap writeHeader() in try/catch

nodejs/node@7bef1b7907
@ttol66 ttol66 changed the title polling connection request.headers.origin has invalid char cause unhandled exception throw polling connection request.headers.origin has invalid char cause uncaughtException throw Jul 13, 2017
@ttol66 ttol66 changed the title polling connection request.headers.origin has invalid char cause uncaughtException throw polling connection request.headers.origin has invalid characters cause uncaughtException throw Jul 13, 2017
darrachequesne added a commit to darrachequesne/engine.io that referenced this issue Sep 2, 2017
@darrachequesne
[fix] Check whether 'Origin' header has invalid characters
35fbcbc 
Since the 'Origin' header is used as response header, a value with invalid characters would trigger
'The header content contains invalid characters' errors.

Closes socketio#517
@darrachequesne darrachequesne mentioned this issue Sep 2, 2017
Merged
1 task
darrachequesne added a commit that referenced this issue Sep 2, 2017
@darrachequesne
[fix] Check whether 'Origin' header has invalid characters (#531)
e0d720c 
Since the 'Origin' header is used as response header, a value with invalid characters would trigger
'The header content contains invalid characters' errors.

Closes #517
@darrachequesne
Copy link
Member

Good catch, thanks! #531 should fix the issue.

darrachequesne added a commit that referenced this issue May 8, 2020
@darrachequesne
[chore] Speed up lint by avoiding '**/*.js' matching pattern (#517)
75b7fda
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[fix] Check whether 'Origin' header has invalid characters darrachequesne/engine.io
2 participants
@ttol66 @darrachequesne