master

分支 (13)

标签 (9)

管理

管理

master

openEuler-22.03-LTS

openEuler-21.09

openEuler-22.03-LTS-Next

openEuler-20.03-LTS-Next

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS-SP1

sync-pr49-openEuler-20.03-LTS-SP1-to-openEuler-20.03-LTS-Next

openEuler-20.09

openEuler-21.03

revert-merge-11-master

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

nodejs
/
CVE-2020-8287-1.patch

From 92d430917a63a567bb528100371263c46e50ee4a Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Wed, 18 Nov 2020 20:50:21 -0800
Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`

Duplicate `Transfer-Encoding` header should be a treated as a single,
but with original header values concatenated with a comma separator. In
the light of this, even if the past `Transfer-Encoding` ended with
`chunked`, we should be not let the `F_CHUNKED` to leak into the next
header, because mere presence of another header indicates that `chunked`
is not the last transfer-encoding token.

CVE-ID: CVE-2020-8287
PR-URL: https://github.com/nodejs-private/node-private/pull/236
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reference: https://github.com/nodejs/node/commit/92d430917a63a567bb528100371263c46e50ee4a
---
 deps/http_parser/http_parser.c |  7 +++++++
 deps/http_parser/test.c        | 26 ++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/deps/http_parser/http_parser.c b/deps/http_parser/http_parser.c
index 0f76b6a..5cc951a 100644
--- a/deps/http_parser/http_parser.c
+++ b/deps/http_parser/http_parser.c
@@ -1339,6 +1339,13 @@ reexecute:
               } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
                 parser->header_state = h_transfer_encoding;
                 parser->flags |= F_TRANSFER_ENCODING;
+
+		/* Multiple `Transfer-Encoding` headers should be treated as
+                 * one, but with values separate by a comma.
+                 *
+                 * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
+                 */
+                parser->flags &= ~F_CHUNKED;
               }
               break;

diff --git a/deps/http_parser/test.c b/deps/http_parser/test.c
index c979467..f185c56 100644
--- a/deps/http_parser/test.c
+++ b/deps/http_parser/test.c
@@ -2045,6 +2045,32 @@ const struct message responses[] =
   ,.body= "2\r\nOK\r\n0\r\n\r\n"
   ,.num_chunks_complete= 0
   }
+#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
+, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
+  ,.type= HTTP_RESPONSE
+  ,.raw= "HTTP/1.1 200 OK\r\n"
+         "Transfer-Encoding: chunked\r\n"
+         "Transfer-Encoding: identity\r\n"
+         "\r\n"
+         "2\r\n"
+         "OK\r\n"
+         "0\r\n"
+         "\r\n"
+  ,.should_keep_alive= FALSE
+  ,.message_complete_on_eof= TRUE
+  ,.http_major= 1
+  ,.http_minor= 1
+  ,.status_code= 200
+  ,.response_status= "OK"
+  ,.content_length= -1
+  ,.num_headers= 2
+  ,.headers=
+    { { "Transfer-Encoding", "chunked" }
+    , { "Transfer-Encoding", "identity" }
+    }
+  ,.body= "2\r\nOK\r\n0\r\n\r\n"
+  ,.num_chunks_complete= 0
+  }
 };

 /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
--
2.23.0