77 lines
2.7 KiB
Diff
77 lines
2.7 KiB
Diff
Only backport unit test. Node8 does not trigger.
|
|
|
|
From 922ada77132c1b0b69c9a146822d762b2f9b912b Mon Sep 17 00:00:00 2001
|
|
From: Daniel Bevenius <daniel.bevenius@gmail.com>
|
|
Date: Fri, 22 Jan 2021 12:34:21 +0100
|
|
Subject: [PATCH] http2: add unknownProtocol timeout
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
This commit add a configuration options named unknownProtocolTimeout
|
|
which can be specified to set a value for the timeout in milliseconds
|
|
that a server should wait when an unknowProtocol is sent to it. When
|
|
this happens a timer will be started and the if the socket has not been
|
|
destroyed during that time the timer callback will destoy it.
|
|
|
|
Refs: https://hackerone.com/reports/1043360
|
|
CVE-ID: CVE-2021-22883
|
|
PR-URL: https://github.com/nodejs-private/node-private/pull/246
|
|
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/250
|
|
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
|
|
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
|
|
Reviewed-By: Michael Dawson <midawson@redhat.com>
|
|
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
|
---
|
|
doc/api/http2.md | 25 +++++++++++++-
|
|
lib/internal/http2/core.js | 31 ++++++++++++++---
|
|
.../test-http2-server-unknown-protocol.js | 33 +++++++++++++++++++
|
|
3 files changed, 84 insertions(+), 5 deletions(-)
|
|
create mode 100644 test/parallel/test-http2-server-unknown-protocol.js
|
|
|
|
Index: node-v8.17.0/test/parallel/test-http2-server-unknown-protocol.js
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ node-v8.17.0/test/parallel/test-http2-server-unknown-protocol.js
|
|
@@ -0,0 +1,39 @@
|
|
+'use strict';
|
|
+const common = require('../common');
|
|
+const fixtures = require('../common/fixtures');
|
|
+
|
|
+// This test verifies that when a server receives an unknownProtocol it will
|
|
+// not leave the socket open if the client does not close it.
|
|
+
|
|
+if (!common.hasCrypto)
|
|
+ common.skip('missing crypto');
|
|
+
|
|
+const h2 = require('http2');
|
|
+const tls = require('tls');
|
|
+
|
|
+const certPem = fixtures.readSync('test_cert.pem', 'ascii');
|
|
+const keyPem = fixtures.readSync('test_key.pem', 'ascii');
|
|
+
|
|
+// key: fixtures.readKey('rsa_private_2048.pem'),
|
|
+// cert: fixtures.readKey('rsa_public_2048.pem'),
|
|
+
|
|
+const server = h2.createSecureServer({
|
|
+ cert: certPem,
|
|
+ key: keyPem,
|
|
+ unknownProtocolTimeout: 500,
|
|
+ allowHalfOpen: true
|
|
+});
|
|
+
|
|
+server.on('connection', (socket) => {
|
|
+ socket.on('close', common.mustCall(() => {
|
|
+ server.close();
|
|
+ }));
|
|
+});
|
|
+
|
|
+server.listen(0, function() {
|
|
+ tls.connect({
|
|
+ port: server.address().port,
|
|
+ rejectUnauthorized: false,
|
|
+ ALPNProtocols: ['bogus']
|
|
+ });
|
|
+});
|