Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Since v8.14 requests with a long URL fail #24990

Closed
BorntraegerMarc opened this issue Dec 12, 2018 · 1 comment
Closed

Since v8.14 requests with a long URL fail #24990

BorntraegerMarc opened this issue Dec 12, 2018 · 1 comment
Labels
duplicate Issues and PRs that are duplicates of other issues or PRs. http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. http Issues or PRs related to the http subsystem.

Comments

@BorntraegerMarc
Copy link

  • Version: v8.14.0
  • Platform: Darwin Marcs-MacBook-Pro.local 18.2.0 Darwin Kernel Version 18.2.0: Fri Oct 5 19:41:49 PDT 2018; root:xnu-4903.221.2~2/RELEASE_X86_64 x86_64
  • Subsystem:

Probably it's because of this security fix: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/#denial-of-service-with-large-http-headers-cve-2018-12121

I think this security fix should only address the headers and not the URL with it params.

How to reproduce:

  1. Make a request with an URL longer than 8000 bytes
  2. You will receive a "socket hang up" error.
  3. Example with an URL and long URL params string:
    screenshot 2018-12-12 at 14 18 28
@BorntraegerMarc BorntraegerMarc changed the title Since v8.14 requests with a long URL hang up socket Since v8.14 requests with a long URL fail Dec 12, 2018
@bnoordhuis
Copy link
Member

I think this security fix should only address the headers and not the URL with it params.

No, that would reintroduce the DoS vulnerability.

I'm closing this as a duplicate of #24692. Once that's fixed, you'll be able to resolve your issue.

@bnoordhuis bnoordhuis added duplicate Issues and PRs that are duplicates of other issues or PRs. http Issues or PRs related to the http subsystem. http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. labels Dec 13, 2018
@reediculous456 reediculous456 mentioned this issue Nov 23, 2020
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate Issues and PRs that are duplicates of other issues or PRs. http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. http Issues or PRs related to the http subsystem.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnoordhuis @BorntraegerMarc