diff options
| author | Evan Lucas <evanlucas@me.com> | 2016-06-13 21:09:03 -0500 |
|---|---|---|
| committer | Rod Vagg <rod@vagg.org> | 2016-09-27 22:17:36 +1000 |
| commit | 3614a173d0a0827bb9f7a1aa65bf9ccc9c7d6784 (patch) | |
| tree | cfeeb78cb45db45d377be10eb3c22e9183eb4232 | |
| parent | f2433430cab27144222b96096c64fe3757fe93d1 (diff) | |
| download | node-new-3614a173d0a0827bb9f7a1aa65bf9ccc9c7d6784.tar.gz | |
http: check reason chars in writeHead
Previously, the reason argument passed to ServerResponse#writeHead was
not being properly validated. One could pass CRLFs which could lead to
http response splitting. This commit changes the behavior to throw an
error in the event any invalid characters are included in the reason.
CVE-2016-5325
PR-URL: https://github.com/nodejs/node-private/pull/48
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
| -rw-r--r-- | lib/http.js | 3 | ||||
| -rw-r--r-- | test/simple/test-http-status-reason-invalid-chars.js | 27 |
2 files changed, 30 insertions, 0 deletions
diff --git a/lib/http.js b/lib/http.js index 2814f6b43a..b614384418 100644 --- a/lib/http.js +++ b/lib/http.js @@ -1233,6 +1233,9 @@ ServerResponse.prototype.writeHead = function(statusCode) { if (statusCode < 100 || statusCode > 999) throw new RangeError('Invalid status code: ' + statusCode); + if (_checkInvalidHeaderChar(reasonPhrase)) + throw new Error('Invalid character in statusMessage.'); + var statusLine = 'HTTP/1.1 ' + statusCode.toString() + ' ' + reasonPhrase + CRLF; diff --git a/test/simple/test-http-status-reason-invalid-chars.js b/test/simple/test-http-status-reason-invalid-chars.js new file mode 100644 index 0000000000..a2124b7242 --- /dev/null +++ b/test/simple/test-http-status-reason-invalid-chars.js @@ -0,0 +1,27 @@ +'use strict'; + +var common = require('../common'); +var assert = require('assert'); +var http = require('http'); + +var server = http.createServer(function(req, res) { + assert.throws(function() { + res.writeHead(200, 'OK\r\nContent-Type: text/html\r\n'); + }, /Invalid character in statusMessage/); + + assert.throws(function() { + res.writeHead(200, 'OK\u010D\u010AContent-Type: gotcha\r\n'); + }, /Invalid character in statusMessage/); + res.end(); +}).listen(common.PORT, common.mustCall(function() { + var url = 'http://localhost:' + common.PORT; + var left = 1; + var check = common.mustCall(function(res) { + res.resume(); + left--; + assert.notEqual(res.headers['content-type'], 'text/html'); + assert.notEqual(res.headers['content-type'], 'gotcha'); + if (left === 0) server.close(); + }, 1); + http.get(url + '/explicit', check); +})); |