http: do not allow OBS fold in headers by default

PR-URL: nodejs-private/node-private#558
Refs: nodejs-private/node-private#556
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2024-27982

Author: ShogunPanda

deps/llhttp/CMakeLists.txt

@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.5.1)
 cmake_policy(SET CMP0069 NEW)
 
-project(llhttp VERSION 6.1.0)
+project(llhttp VERSION 6.1.1)
 include(GNUInstallDirs)
 
 set(CMAKE_C_STANDARD 99)

deps/llhttp/include/llhttp.h

@@ -3,7 +3,7 @@
 
 #define LLHTTP_VERSION_MAJOR 6
 #define LLHTTP_VERSION_MINOR 1
-#define LLHTTP_VERSION_PATCH 0
+#define LLHTTP_VERSION_PATCH 1
 
 #ifndef LLHTTP_STRICT_MODE
 # define LLHTTP_STRICT_MODE 0

deps/llhttp/src/llhttp.c

@@ -46,7 +46,8 @@ const server = net.createServer(function(conn) {
 server.listen(0, common.mustCall(function() {
   http.get({
     host: '127.0.0.1',
-    port: this.address().port
+    port: this.address().port,
+    insecureHTTPParser: true
   }, common.mustCall(function(res) {
     assert.strictEqual(res.headers['content-type'],
                        'text/plain; x-unix-mode=0600; name="hello.txt"');

test/parallel/test-http-multi-line-headers.js

@@ -71,10 +71,7 @@ const net = require('net');
     '',
   ].join('\r\n');
 
-  const server = http.createServer(common.mustCall((request, response) => {
-    assert.notStrictEqual(request.url, '/admin');
-    response.end('hello world');
-  }), 1);
+  const server = http.createServer(common.mustNotCall());
 
   server.listen(0, common.mustSucceed(() => {
     const client = net.connect(server.address().port, 'localhost');