Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: update llhttp to 2.0.1 #30553

Closed
wants to merge 1 commit into from
Closed

deps: update llhttp to 2.0.1 #30553

wants to merge 1 commit into from

Conversation

indutny
Copy link
Member

@indutny indutny commented Nov 20, 2019

Changelog:

  • Optional SSE4.2 support (at compile time)
  • Lenient mode of operation
Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

cc @nodejs/http @addaleax @bnoordhuis

@indutny
Copy link
Member Author

indutny commented Nov 20, 2019

Note that despite major version bump in llhttp - it doesn't have to be semver major for Node.js since llhttp's 2.x API are backwards compatible to 1.x

@indutny
Copy link
Member Author

indutny commented Nov 20, 2019

After landing this PR it might make sense to re-introduce lenient parsing mode.

@devsnek devsnek added http Issues or PRs related to the http subsystem. http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. labels Nov 20, 2019
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/26767/

@mscdex
Copy link
Contributor

mscdex commented Nov 20, 2019

s/llhtp/llhttp/ in commit message

@indutny indutny changed the title deps: update llhtp to 2.0 deps: update llhttp to 2.0 Nov 20, 2019
@indutny
Copy link
Member Author

indutny commented Nov 20, 2019

@mscdex good catch, thank you!

@sam-github sam-github mentioned this pull request Nov 20, 2019
Closed
4 tasks
@indutny
Copy link
Member Author

indutny commented Nov 21, 2019 via email

@indutny
Copy link
Member Author

indutny commented Nov 21, 2019

Here is a pull request to address this: nodejs/llhttp#34

@mscdex mscdex added the wip Issues and PRs that are still a work in progress. label Nov 21, 2019
@indutny
Copy link
Member Author

indutny commented Nov 21, 2019

I've force pushed the branch with an update to 2.0.1, which includes the fix for aforementioned issue. Thank you for waiting, y'all!

@mscdex mscdex removed the wip Issues and PRs that are still a work in progress. label Nov 21, 2019
@mscdex mscdex changed the title deps: update llhttp to 2.0 deps: update llhttp to 2.0.1 Nov 21, 2019
@gajus
Copy link

gajus commented Nov 22, 2019

Is still planned for v13.3.0?

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/26977/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/27055/

@BethGriggs BethGriggs mentioned this pull request Dec 9, 2019
Closed
BethGriggs added a commit that referenced this pull request Dec 9, 2019
@BethGriggs
2019-12-17, Version 12.13.2 'Erbium' (LTS)
d02ac1c 
Notable changes:

- crypto: fix key requirements in asymmetric cipher (Tobias Nießen)
  #30249
- deps:
    - update llhttp to 2.0.1 (Fedor Indutny)
      #30553
    - upgrade npm to 6.13.1 (claudiahdz)
      #30533
    - update nghttp2 to 1.40.0 (gengjiawen)
      #30493
- v8: mark serdes API as stable (Anna Henningsen)
  #30234

PR-URL: #30865
sam-github added a commit that referenced this pull request Dec 9, 2019
@sam-github
http: llhttp opt-in insecure HTTP header parsing
02a0c74 
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- #30553
- #27711 (comment)
- #30515

PR-URL: #30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this pull request Dec 10, 2019
@sam-github @targos
http: llhttp opt-in insecure HTTP header parsing
daca078 
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- #30553
- #27711 (comment)
- #30515

PR-URL: #30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Dec 17, 2019
@indutny @MylesBorins
deps: update llhttp to 2.0.1
7589486 
Changelog:

* Optional SSE4.2 support (at compile time)
* Lenient mode of operation

PR-URL: #30553
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
@BethGriggs BethGriggs mentioned this pull request Dec 23, 2019
Merged
BethGriggs added a commit that referenced this pull request Dec 23, 2019
@BethGriggs
2020-01-07, Version 12.14.1 'Erbium' (LTS)
423b44a 
Notable changes:

- crypto: fix key requirements in asymmetric cipher (Tobias Nießen)
  #30249
- deps:
    - update llhttp to 2.0.1 (Fedor Indutny)
      #30553
    - update nghttp2 to 1.40.0 (gengjiawen)
      #30493
- v8: mark serdes API as stable (Anna Henningsen)
  #30234

PR-URL: #31069
BethGriggs added a commit that referenced this pull request Dec 27, 2019
@BethGriggs
2020-01-07, Version 12.14.1 'Erbium' (LTS)
db01408 
Notable changes:

- crypto: fix key requirements in asymmetric cipher (Tobias Nießen)
  #30249
- deps:
    - update llhttp to 2.0.1 (Fedor Indutny)
      #30553
    - update nghttp2 to 1.40.0 (gengjiawen)
      #30493
- v8: mark serdes API as stable (Anna Henningsen)
  #30234

PR-URL: #31069
BethGriggs added a commit that referenced this pull request Dec 31, 2019
@BethGriggs
2020-01-07, Version 12.14.1 'Erbium' (LTS)
9622fed 
Notable changes:

- crypto: fix key requirements in asymmetric cipher (Tobias Nießen)
  #30249
- deps:
    - update llhttp to 2.0.1 (Fedor Indutny)
      #30553
    - update nghttp2 to 1.40.0 (gengjiawen)
      #30493
- v8: mark serdes API as stable (Anna Henningsen)
  #30234

PR-URL: #31069
BethGriggs added a commit that referenced this pull request Jan 7, 2020
@BethGriggs
2020-01-07, Version 12.14.1 'Erbium' (LTS)
f5512ff 
Notable changes:

- crypto: fix key requirements in asymmetric cipher (Tobias Nießen)
  #30249
- deps:
    - update llhttp to 2.0.1 (Fedor Indutny)
      #30553
    - update nghttp2 to 1.40.0 (gengjiawen)
      #30493
- v8: mark serdes API as stable (Anna Henningsen)
  #30234

PR-URL: #31069
sam-github added a commit to sam-github/node that referenced this pull request Jan 10, 2020
@sam-github
http: opt-in insecure HTTP header parsing
d4bcc5f 
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- nodejs#30553
- nodejs#27711 (comment)
- nodejs#30515

PR-URL: nodejs#30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
sam-github added a commit to sam-github/node that referenced this pull request Jan 10, 2020
@sam-github
http: opt-in insecure HTTP header parsing
056d8e5 
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- nodejs#30553
- nodejs#27711 (comment)
- nodejs#30515

PR-URL: nodejs#30567
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this pull request Jan 14, 2020
@sam-github @targos
http: opt-in insecure HTTP header parsing
3a7a3be 
Allow insecure HTTP header parsing. Make clear it is insecure.

See:
- #30553
- #27711 (comment)
- #30515

PR-URL: #30567
Backport-PR-URL: #30473
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 11, 2020
@zsw007
http: opt-in insecure HTTP header parsing
11fdae4 
Backport 496736f

Original commit message:

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs/node#30553
    - nodejs/node#27711 (comment)
    - nodejs/node#30515

    PR-URL: nodejs/node#30567
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Denys Otrishko <shishugi@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 12, 2020
@zsw007
http: opt-in insecure HTTP header parsing
f0049c4 
Backport 496736f

Original commit message:

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs/node#30553
    - nodejs/node#27711 (comment)
    - nodejs/node#30515

    PR-URL: nodejs/node#30567
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Denys Otrishko <shishugi@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
zsw007 added a commit to ibmruntimes/node that referenced this pull request Feb 12, 2020
@zsw007
http: opt-in insecure HTTP header parsing
942e61e 
Backport 496736f

Original commit message:

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs/node#30553
    - nodejs/node#27711 (comment)
    - nodejs/node#30515

    PR-URL: nodejs/node#30567
    Backport-PR-URL: nodejs/node#30473
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Denys Otrishko <shishugi@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
BaochengSu added a commit to BaochengSu/node that referenced this pull request Oct 21, 2020
@BaochengSu
CVE-2019-15605
a5c5539 
Ported from
OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch

Original commit message:

commit e2c8f89
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Thu Jan 16 11:55:52 2020 -0800

    test: using TE to smuggle reqs is not possible

    See: https://hackerone.com/reports/735748

    PR-URL: https://github.com/nodejs-private/node-private/pull/192
    Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>

commit 49f4220
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Tue Feb 4 10:36:57 2020 -0800

    deps: upgrade http-parser to v2.9.3

    PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Sam Roberts <vieuxtech@gmail.com>

commit d616722
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Tue Jan 7 14:24:54 2020 -0800

    test: check that --insecure-http-parser works

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs#30567

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#31253
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

commit a9849c0
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Wed Nov 20 11:48:58 2019 -0800

    http: opt-in insecure HTTP header parsing

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs#30553
    - nodejs#27711 (comment)
    - nodejs#30515

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#30567
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Denys Otrishko <shishugi@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>

commit a28e5cc
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Wed Nov 13 10:05:38 2019 -0800

    deps: upgrade http-parser to v2.9.1

    PR-URL: nodejs#30471
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>

Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
BaochengSu added a commit to BaochengSu/node that referenced this pull request Jul 14, 2022
@BaochengSu
CVE-2019-15605
65ab2f5 
Ported from
OpenSUSE:nodejs8-8.17.0-lp152.147.1:CVE-2019-15605.patch

Original commit message:

commit e2c8f89
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Thu Jan 16 11:55:52 2020 -0800

    test: using TE to smuggle reqs is not possible

    See: https://hackerone.com/reports/735748

    PR-URL: https://github.com/nodejs-private/node-private/pull/192
    Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>

commit 49f4220
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Tue Feb 4 10:36:57 2020 -0800

    deps: upgrade http-parser to v2.9.3

    PR-URL: https://github.com/nodejs-private/http-parser-private/pull/4
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Sam Roberts <vieuxtech@gmail.com>

commit d616722
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Tue Jan 7 14:24:54 2020 -0800

    test: check that --insecure-http-parser works

    Test that using --insecure-http-parser will disable validation of
    invalid characters in HTTP headers.

    See:
    - nodejs#30567

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#31253
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

commit a9849c0
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Wed Nov 20 11:48:58 2019 -0800

    http: opt-in insecure HTTP header parsing

    Allow insecure HTTP header parsing. Make clear it is insecure.

    See:
    - nodejs#30553
    - nodejs#27711 (comment)
    - nodejs#30515

    Backport-PR-URL: nodejs#30471
    PR-URL: nodejs#30567
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Denys Otrishko <shishugi@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>

commit a28e5cc
Author: Sam Roberts <vieuxtech@gmail.com>
Date:   Wed Nov 13 10:05:38 2019 -0800

    deps: upgrade http-parser to v2.9.1

    PR-URL: nodejs#30471
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>

Signed-off-by: Su Baocheng <baocheng.su@siemens.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bnoordhuis bnoordhuis bnoordhuis approved these changes

@MylesBorins MylesBorins MylesBorins approved these changes

@addaleax addaleax addaleax approved these changes

@cjihrig cjihrig cjihrig approved these changes

@gengjiawen gengjiawen gengjiawen approved these changes

@devnexen devnexen devnexen approved these changes

@devsnek devsnek devsnek approved these changes

Assignees
No one assigned
Labels
http_parser Issues and PRs related to the HTTP Parser dependency or the http_parser binding. http Issues or PRs related to the http subsystem.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.