-
Notifications
You must be signed in to change notification settings - Fork 96
http: sanitize http headers and method names #13
Comments
I'd be curious if this will impact perf depending on where it is. What's the summary of what this fixes, just people setting weird headers? Does that actually produce any thing other than invalid sent headers? Are people just using the API wrong? |
Well, the key impact is that it would allow header injection through malformed header and method name inputs. It's a relatively low risk security and conformance nit really. Not a huge priority but worth fixing if we can. As you can see from the |
@Fishrock123 ... one possible approach on this is to put the additional checking behind a flag or option. Running with the flag set would essentially put node into a strict conformance checking mode that can be used to identify errors like this, but can be left switched off in production to avoid the additional perf hit. |
@jasnell I recall discussion related to an http "strict mode" before somewhere in io.js#1457. I'm -1 on sanitizing -- a developer should definitely do that before writing user-provided strings in headers -- and unsure about throwing. Also curious about perf though -- will this also affect the value of the header and not just the name? I don't recall us already iterating through the header strings themselves. This is also relevant to iojs#1693. Should we instead trust the developer (also allowing them to use whichever encoding they want)? |
@jasnell I'll leave you to close this one but it seems like this should be moved to nodejs/node now right? |
Yes, I'll handle this one. It hasn't been fixed yet but needs to be.
|
Ok, new PR opened. Will continue to track the conversation there. Closing this issue here. This does not hold up v4.0.0 at all. |
Per: nodejs/node-convergence-archive#13 This adds a new check for header and trailer fields names and method names to ensure that they conform to the HTTP token rule. If they do not, a `TypeError` is thrown. Previously this had an additional `strictMode` option that has been removed in favor of making the strict check the default (and only) behavior. Doc and test case are included. On the client-side ```javascript var http = require('http'); var url = require('url'); var p = url.parse('http://localhost:8888'); p.headers = {'testing 123': 123}; http.client(p, function(res) { }); // throws ``` On the server-side ```javascript var http = require('http'); var server = http.createServer(function(req,res) { res.setHeader('testing 123', 123); // throws res.end('...'); }); ```
Ref: nodejs/node-convergence-archive#13 This adds a new check for header and trailer fields names and method names to ensure that they conform to the HTTP token rule. If they do not, a `TypeError` is thrown. Previously this had an additional `strictMode` option that has been removed in favor of making the strict check the default (and only) behavior. Doc and test case are included. On the client-side ```javascript var http = require('http'); var url = require('url'); var p = url.parse('http://localhost:8888'); p.headers = {'testing 123': 123}; http.client(p, function(res) { }); // throws ``` On the server-side ```javascript var http = require('http'); var server = http.createServer(function(req,res) { res.setHeader('testing 123', 123); // throws res.end('...'); }); ``` Reviewed-By: Sakthipriyan Vairamani <[email protected]> Reviewed-By: Trevor Norris <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: Rod Vagg <[email protected]> PR-URL: #2526
Simple test case:
Then do a
curl -v http://localhost:3000
This is not a new issue (nodejs/node-v0.x-archive#2602, nodejs/node-v0.x-archive#9076). It affects HTTP request methods and header names. It happens in
v0.10
,v0.12
, and current io.js:I have the code written up to perform the necessary fix but I need a decision: when an invalid http method or header name is passed in, should we throw or attempt to sanitize? Throwing is a API change that breaks backwards compatibility but this is an obvious error with potential security ramifications (fairly low risk). Sanitizing can lead to unexpected results and there is no standard pattern we can follow. Throwing seems to be the best approach.
@nodejs/tsc ... thoughts?
The text was updated successfully, but these errors were encountered: