登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 48

xh-hang/nodejs

forked from openEuler-RISC-V/nodejs 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
CVE-2020-8287-2.patch 4.55 KB
一键复制 编辑 原始数据 按行查看 历史
markeryang 提交于 2021-02-09 14:41 . fix CVE-2020-8265 CVE-2020-8287
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151
From 420244e4d9ca6de2612e7f503f5c87e448fbc14b Mon Sep 17 00:00:00 2001

From: Matteo Collina <hello@matteocollina.com>

Date: Thu, 22 Oct 2020 14:10:51 +0200

Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding`



Duplicate `Transfer-Encoding` header should be a treated as a single,

but with original header values concatenated with a comma separator. In

the light of this, even if the past `Transfer-Encoding` ended with

`chunked`, we should be not let the `F_CHUNKED` to leak into the next

header, because mere presence of another header indicates that `chunked`

is not the last transfer-encoding token.



Ref: https://github.com/nodejs-private/llhttp-private/pull/3

See: https://hackerone.com/bugs?report_id=1002188&subject=nodejs



CVE-ID: CVE-2020-8287

PR-URL: https://github.com/nodejs-private/node-private/pull/236

Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>

Reference: https://github.com/nodejs/node/commit/420244e4d9ca6de2612e7f503f5c87e448fbc14b

---

 deps/llhttp/src/llhttp.c                      | 36 ++++++++++++++-

 .../test-http-transfer-encoding-smuggling.js  | 46 +++++++++++++++++++

 2 files changed, 80 insertions(+), 2 deletions(-)

 create mode 100644 test/parallel/test-http-transfer-encoding-smuggling.js



diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c

index acc35479f88..3019c410963 100644

--- a/deps/llhttp/src/llhttp.c

+++ b/deps/llhttp/src/llhttp.c

@@ -813,6 +813,14 @@ int llhttp__internal__c_or_flags_16(

   return 0;

 }

 

+int llhttp__internal__c_and_flags(

+    llhttp__internal_t* state,

+    const unsigned char* p,

+    const unsigned char* endp) {

+  state->flags &= -9;

+  return 0;

+}

+

 int llhttp__internal__c_update_header_state_7(

     llhttp__internal_t* state,

     const unsigned char* p,

@@ -5974,10 +5982,18 @@ static llparse_state_t llhttp__internal__run(

     /* UNREACHABLE */;

     abort();

   }

+  s_n_llhttp__internal__n_invoke_and_flags: {

+    switch (llhttp__internal__c_and_flags(state, p, endp)) {

+      default:

+        goto s_n_llhttp__internal__n_header_value_te_chunked;

+    }

+    /* UNREACHABLE */;

+    abort();

+  }

   s_n_llhttp__internal__n_invoke_or_flags_16: {

     switch (llhttp__internal__c_or_flags_16(state, p, endp)) {

       default:

-        goto s_n_llhttp__internal__n_header_value_te_chunked;

+        goto s_n_llhttp__internal__n_invoke_and_flags;

     }

     /* UNREACHABLE */;

     abort();

@@ -7625,6 +7641,14 @@ int llhttp__internal__c_or_flags_16(

   return 0;

 }

 

+int llhttp__internal__c_and_flags(

+    llhttp__internal_t* state,

+    const unsigned char* p,

+    const unsigned char* endp) {

+  state->flags &= -9;

+  return 0;

+}

+

 int llhttp__internal__c_update_header_state_7(

     llhttp__internal_t* state,

     const unsigned char* p,

@@ -12522,10 +12546,18 @@ static llparse_state_t llhttp__internal__run(

     /* UNREACHABLE */;

     abort();

   }

+  s_n_llhttp__internal__n_invoke_and_flags: {

+    switch (llhttp__internal__c_and_flags(state, p, endp)) {

+      default:

+        goto s_n_llhttp__internal__n_header_value_te_chunked;

+    }

+    /* UNREACHABLE */;

+    abort();

+  }

   s_n_llhttp__internal__n_invoke_or_flags_16: {

     switch (llhttp__internal__c_or_flags_16(state, p, endp)) {

       default:

-        goto s_n_llhttp__internal__n_header_value_te_chunked;

+        goto s_n_llhttp__internal__n_invoke_and_flags;

     }

     /* UNREACHABLE */;

     abort();

diff --git a/test/parallel/test-http-transfer-encoding-smuggling.js b/test/parallel/test-http-transfer-encoding-smuggling.js

new file mode 100644

index 00000000000..9d97db4c0a2

--- /dev/null

+++ b/test/parallel/test-http-transfer-encoding-smuggling.js

@@ -0,0 +1,46 @@

+'use strict';

+

+const common = require('../common');

+

+const assert = require('assert');

+const http = require('http');

+const net = require('net');

+

+const msg = [

+  'POST / HTTP/1.1',

+  'Host: 127.0.0.1',

+  'Transfer-Encoding: chunked',

+  'Transfer-Encoding: chunked-false',

+  'Connection: upgrade',

+  '',

+  '1',

+  'A',

+  '0',

+  '',

+  'GET /flag HTTP/1.1',

+  'Host: 127.0.0.1',

+  '',

+  '',

+].join('\r\n');

+

+// Verify that the server is called only once even with a smuggled request.

+

+const server = http.createServer(common.mustCall((req, res) => {

+  res.end();

+}, 1));

+

+function send(next) {

+  const client = net.connect(server.address().port, 'localhost');

+  client.setEncoding('utf8');

+  client.on('error', common.mustNotCall());

+  client.on('end', next);

+  client.write(msg);

+  client.resume();

+}

+

+server.listen(0, common.mustCall((err) => {

+  assert.ifError(err);

+  send(common.mustCall(() => {

+    server.close();

+  }));

+}));
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/xhdxw/nodejs.git
git@gitee.com:xhdxw/nodejs.git
xhdxw
nodejs
nodejs
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部