-
Notifications
You must be signed in to change notification settings - Fork 30.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
http: strip trailing OWS from header values
HTTP header values can have trailing OWS, but it should be stripped. It is not semantically part of the header's value, and if treated as part of the value, it can cause spurious inequality between expected and actual header values. Note that a single SPC of leading OWS is common before the field-value, and it is already handled by the HTTP parser by stripping all leading OWS. It is only the trailing OWS that must be stripped by the parser user. header-field = field-name ":" OWS field-value OWS ; https://tools.ietf.org/html/rfc7230#section-3.2 OWS = *( SP / HTAB ) ; https://tools.ietf.org/html/rfc7230#section-3.2.3 Fixes: https://hackerone.com/reports/730779 PR-URL: nodejs-private/node-private#189 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: James M Snell <[email protected]>
- Loading branch information
1 parent
b7da194
commit 25b6897
Showing
3 changed files
with
74 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
'use strict'; | ||
const common = require('../common'); | ||
|
||
// This test ensures that the http-parser strips leading and trailing OWS from | ||
// header values. It sends the header values in chunks to force the parser to | ||
// build the string up through multiple calls to on_header_value(). | ||
|
||
const assert = require('assert'); | ||
const http = require('http'); | ||
const net = require('net'); | ||
|
||
function check(hdr, snd, rcv) { | ||
const server = http.createServer(common.mustCall((req, res) => { | ||
assert.strictEqual(req.headers[hdr], rcv); | ||
req.pipe(res); | ||
})); | ||
|
||
server.listen(0, common.mustCall(function() { | ||
const client = net.connect(this.address().port, start); | ||
function start() { | ||
client.write('GET / HTTP/1.1\r\n' + hdr + ':', drain); | ||
} | ||
|
||
function drain() { | ||
if (snd.length === 0) { | ||
return client.write('\r\nConnection: close\r\n\r\n'); | ||
} | ||
client.write(snd.shift(), drain); | ||
} | ||
|
||
const bufs = []; | ||
client.on('data', function(chunk) { | ||
bufs.push(chunk); | ||
}); | ||
client.on('end', common.mustCall(function() { | ||
const head = Buffer.concat(bufs) | ||
.toString('latin1') | ||
.split('\r\n')[0]; | ||
assert.strictEqual(head, 'HTTP/1.1 200 OK'); | ||
server.close(); | ||
})); | ||
})); | ||
} | ||
|
||
check('host', [' \t foo.com\t'], 'foo.com'); | ||
check('host', [' \t foo\tcom\t'], 'foo\tcom'); | ||
check('host', [' \t', ' ', ' foo.com\t', '\t '], 'foo.com'); | ||
check('host', [' \t', ' \t'.repeat(100), '\t '], ''); | ||
check('host', [' \t', ' - - - - ', '\t '], '- - - -'); |