From 831167742ba1898bd3feab2d3b51f25fcb5e44bf Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Thu, 29 Nov 2018 08:52:16 +0100 Subject: [PATCH 1/2] build: make HTTP_MAX_HEADER_SIZE configurable The maximum size of headers introduced in the security release of 2018/11/27 is not configurable. This change adds a --http-max-header-size option to ./configure. See: https://github.com/nodejs/node/issues/24693 --- configure.py | 9 +++++++++ deps/http_parser/http_parser.gyp | 8 ++++++-- node.gypi | 2 ++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/configure.py b/configure.py index 3d4cea32cdefb1..368cceece5c8c7 100755 --- a/configure.py +++ b/configure.py @@ -189,6 +189,11 @@ dest='experimental_http_parser', help='use llhttp instead of http_parser') +parser.add_option('--http-max-header-size', + action='store', + default='8192', + help='set the max size of HTTP headers [default: %default]') + shared_optgroup.add_option('--shared-http-parser', action='store_true', dest='shared_http_parser', @@ -1594,7 +1599,11 @@ def make_bin_override(): configure_node(output) configure_library('zlib', output) + +# configure http_parser configure_library('http_parser', output) +output['variables']['http_max_header_size'] = options.http_max_header_size + configure_library('libuv', output) configure_library('libcares', output) configure_library('nghttp2', output) diff --git a/deps/http_parser/http_parser.gyp b/deps/http_parser/http_parser.gyp index 4364f73d1f4548..34618a4c93073b 100644 --- a/deps/http_parser/http_parser.gyp +++ b/deps/http_parser/http_parser.gyp @@ -47,6 +47,10 @@ ], }, + 'variables': { + 'http_max_header_size%': '8192' + }, + 'targets': [ { 'target_name': 'http_parser', @@ -56,7 +60,7 @@ 'defines': [ 'HTTP_PARSER_STRICT=0' ], 'include_dirs': [ '.' ], }, - 'defines': [ 'HTTP_MAX_HEADER_SIZE=8192', 'HTTP_PARSER_STRICT=0' ], + 'defines': [ 'HTTP_MAX_HEADER_SIZE=<(http_max_header_size)', 'HTTP_PARSER_STRICT=0' ], 'sources': [ './http_parser.c', ], 'conditions': [ ['OS=="win"', { @@ -79,7 +83,7 @@ 'defines': [ 'HTTP_PARSER_STRICT=1' ], 'include_dirs': [ '.' ], }, - 'defines': [ 'HTTP_MAX_HEADER_SIZE=8192', 'HTTP_PARSER_STRICT=1' ], + 'defines': [ 'HTTP_MAX_HEADER_SIZE=<(http_max_header_size)', 'HTTP_PARSER_STRICT=1' ], 'sources': [ './http_parser.c', ], 'conditions': [ ['OS=="win"', { diff --git a/node.gypi b/node.gypi index fdf81b7465b906..971072073f4348 100644 --- a/node.gypi +++ b/node.gypi @@ -8,6 +8,7 @@ # all obj files in static libs into the executable or shared lib. 'variables': { 'variables': { + 'http_max_header_size%': 8192, 'variables': { 'force_load%': 'true', 'current_type%': '<(_type)', @@ -168,6 +169,7 @@ 'dependencies': [ 'deps/llhttp/llhttp.gyp:llhttp' ], }, { 'conditions': [ [ 'node_shared_http_parser=="false"', { + 'defines': [ 'HTTP_MAX_HEADER_SIZE=<(http_max_header_size)' ], 'dependencies': [ 'deps/http_parser/http_parser.gyp:http_parser' ], } ] ], } ], From c0293dea23da971b4437f3c53ea1ac85d30b6ed6 Mon Sep 17 00:00:00 2001 From: Matteo Collina Date: Fri, 30 Nov 2018 10:44:49 +0100 Subject: [PATCH 2/2] fixup --- doc/api/errors.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/api/errors.md b/doc/api/errors.md index 75d0f368ca7c2d..1715a6af087077 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -1888,10 +1888,14 @@ changes: --> Too much HTTP header data was received. In order to protect against malicious or -malconfigured clients, if more than 8KB of HTTP header data is received then +malconfigured clients, if more than 8KB of HTTP/1 header data is received then HTTP parsing will abort without a request or response object being created, and an `Error` with this code will be emitted. +The maximum amount of HTTP/1 header data could be configured and changed +when building node by using `./configure --http-max-header-size=MAX` +for example. + ### MODULE_NOT_FOUND