cli: add --max-http-header-size flag #24811
Conversation
nodejs-github-bot
added
c++
|
I think we should expose that value as a read-only property under |
Not strictly an alternative. See #24716 (comment) for my feelings on having both. |
|
Probably an obvious suggestion, but perhaps you can reuse the existing tests if they are made slightly context aware wrt. the size setting, then wrap them in one that specifies a node option, like https://github.com/nodejs/node/blob/master/test/parallel/test-tls-cli-min-version-1.0.js |
CVE-2018-12121 PR-URL: nodejs-private/node-private#143 Ref: nodejs-private/security#139 Ref: nodejs-private/http-parser-private#2 Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
Can this be back-ported to Node 8 LTS? As of v8.14.0, people blessed with domains with a lot of cookies are broken without this option, effectively preventing them from consuming any more LTS fixes (and 8.14.0 contains a security fix as well). |
cjihrig
force-pushed
the
max-headers-size
branch
3 times, most recently
from
d4a3a0a
to
3275c64
Compare
|
I think I've addressed all the nits. @mcollina, you signed off on this, but did you still want this added to the HTTP API? |
|
It would be better but it can come later if somebody needs it. |
cjihrig
force-pushed
the
max-headers-size
branch
from
3275c64
to
67e5595
Compare
Opened #24860 to discuss separately. |
|
@cjihrig what's the status of this? |
mcollina
added
tsc-review
tsc-agenda
…e introduced - more detail: nodejs/node#24811
|
Thanks for this! |
This commit adds http_parser_set_max_header_size() to the http-parser for overriding the compile time maximum HTTP header size. PR-URL: nodejs#24811 Fixes: nodejs#24692 Refs: nodejs/http-parser#453 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
This commit adds support for uint64_t option parsing. PR-URL: nodejs#24811 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Allow the maximum size of HTTP headers to be overridden from the command line. co-authored-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs#24811 Fixes: nodejs#24692 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
The 6.15.0 security release introduced some unexpected breakages on
the 6.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.
Notable changes:
* cli:
- add --max-http-header-size flag (cjihrig)
nodejs#24811
* http:
- add maxHeaderSize property (cjihrig)
nodejs#24860
PR-URL: nodejs#25178
The 8.14.0 security release introduced some unexpected breakages on
the 8.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.
Notable changes:
* cli:
- add --max-http-header-size flag (cjihrig)
nodejs#24811
* http:
- add maxHeaderSize property (cjihrig)
nodejs#24860
PR-URL: nodejs#25177
The 10.14.0 security release introduced some unexpected breakages on
the 10.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.
Notable Changes:
* cli:
- add --max-http-header-size flag (cjihrig)
nodejs#24811
* http:
- add maxHeaderSize property (cjihrig)
nodejs#24860
PR-URL: nodejs#25176
Notable Changes:
* cli:
- add --max-http-header-size flag (cjihrig)
nodejs#24811
* crypto:
- always accept certificates as public keys (Tobias Nießen)
nodejs#24234
- add key object API (Tobias Nießen) [nodejs#24234](nodejs#24234)
- update root certificates (Sam Roberts)
nodejs#25113
* deps:
- upgrade to libuv 1.24.1 (cjihrig)
nodejs#25078
- upgrade npm to 6.5.0 (Audrey Eschright)
nodejs#24734
* http:
- add maxHeaderSize property (cjihrig)
nodejs#24860
PR-URL: nodejs#25175
|
how do i use this feature and configure the http header size |
|
Does this apply to https as well? It does not seem to work with https.createServer. |
|
@losdevnull it should! If not please open an new issue with a script to reproduce and tag me. |
|
@mcollina never mind.. it turns out that we did not set the arg correctly in command line by appending it in the end instead of in front of the app to be started. After fix that it worked as expected for https. Thanks! |
| @@ -916,6 +913,14 @@ const parser_settings_t Parser::settings = { | |||
| }; | |||
|
|
|||
|
|
|||
| #ifndef NODE_EXPERIMENTAL_HTTP | |||
| void InitMaxHttpHeaderSizeOnce() { | |||
| const uint32_t max_http_header_size = per_process_opts->max_http_header_size; | |||
There was a problem hiding this comment.
Hi @cjihrig I tried to dig but couldn't figure out the answer.
Does per_process get populated with .npmrc or system environment values? Or can this only be set with the CLI option?
There was a problem hiding this comment.
You can configure this via the CLI option or NODE_OPTIONS environment variable (search the tests in this PR for NODE_OPTIONS).
|
It would be great if node responded with an HTTP 413 “Request Header fields too large” (or something similar) is this was encountered instead of behaving like it is crashing (or empty return) or timing out (with nginx in front it will result in a 502/400 based on the node version or a 504 timeout) |
|
Allow the maximum size of HTTP headers to be overridden from the command line.
Refs: nodejs/http-parser#453
Fixes: #24692
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes