http2: add unknownProtocol timeout

This commit add a configuration options named unknownProtocolTimeout which can be specified to set a value for the timeout in milliseconds that a server should wait when an unknowProtocol is sent to it. When this happens a timer will be started and the if the socket has not been destroyed during that time the timer callback will destoy it. Refs: https://hackerone.com/reports/1043360 CVE-ID: CVE-2021-22883 PR-URL: https://github.com/nodejs-private/node-private/pull/246 Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/250 Reviewed-By: Beth Griggs <bgriggs@redhat.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
author: Daniel Bevenius <daniel.bevenius@gmail.com> 2021-01-22 12:34:21 +0100
committer: Richard Lau <rlau@redhat.com> 2021-02-22 17:16:43 +0000
commit: 922ada77132c1b0b69c9a146822d762b2f9b912b (patch)
tree: 6397bb70c2f15d38d100c5340462a71b0207a3ac /doc
parent: 1564752d553f582c8048ee45614f870ee2a446c9 (diff)
download: node-new-922ada77132c1b0b69c9a146822d762b2f9b912b.tar.gz
1 files changed, 24 insertions, 1 deletions
diff --git a/doc/api/http2.md b/doc/api/http2.md
index 219a837c06..7db9855e0e 100644
--- a/doc/api/http2.md
+++ b/doc/api/http2.md
@@ -1970,7 +1970,9 @@ added: v8.4.0
 The `'unknownProtocol'` event is emitted when a connecting client fails to
 negotiate an allowed protocol (i.e. HTTP/2 or HTTP/1.1). The event handler
 receives the socket for handling. If no listener is registered for this event,
-the connection is terminated. See the [Compatibility API][].
+the connection is terminated. A timeout may be specified using the
+`'unknownProtocolTimeout'` option passed to [`http2.createSecureServer()`][].
+See the [Compatibility API][].
 
 #### `server.close([callback])`
 <!-- YAML
@@ -2010,6 +2012,9 @@ error will be thrown.
 <!-- YAML
 added: v8.4.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs-private/node-private/pull/250
+    description: Added `unknownProtocolTimeout` option with a default of 10000.
   - version:
      - v12.18.0
     pr-url: https://github.com/nodejs-private/node-private/pull/206
@@ -2112,6 +2117,10 @@ changes:
     `Http2ServerResponse` class to use.
     Useful for extending the original `Http2ServerResponse`.
     **Default:** `Http2ServerResponse`.
+  * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
+    a server should wait when an [`'unknownProtocol'`][] is emitted. If the
+    socket has not been destroyed by that time the server will destroy it.
+    **Default:** `10000`.
   * ...: Any [`net.createServer()`][] option can be provided.
 * `onRequestHandler` {Function} See [Compatibility API][]
 * Returns: {Http2Server}
@@ -2148,6 +2157,9 @@ server.listen(80);
 <!-- YAML
 added: v8.4.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs-private/node-private/pull/250
+    description: Added `unknownProtocolTimeout` option with a default of 10000.
   - version:
      - v12.18.0
     pr-url: https://github.com/nodejs-private/node-private/pull/206
@@ -2240,6 +2252,10 @@ changes:
     servers, the identity options (`pfx` or `key`/`cert`) are usually required.
   * `origins` {string[]} An array of origin strings to send within an `ORIGIN`
     frame immediately following creation of a new server `Http2Session`.
+  * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
+    a server should wait when an [`'unknownProtocol'`][] event is emitted. If
+    the socket has not been destroyed by that time the server will destroy it.
+    **Default:** `10000`.
 * `onRequestHandler` {Function} See [Compatibility API][]
 * Returns: {Http2SecureServer}
 
@@ -2273,6 +2289,9 @@ server.listen(80);
 <!-- YAML
 added: v8.4.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs-private/node-private/pull/250
+    description: Added `unknownProtocolTimeout` option with a default of 10000.
   - version:
      - v12.18.0
     pr-url: https://github.com/nodejs-private/node-private/pull/206
@@ -2356,6 +2375,10 @@ changes:
     instance passed to `connect` and the `options` object, and returns any
     [`Duplex`][] stream that is to be used as the connection for this session.
   * ...: Any [`net.connect()`][] or [`tls.connect()`][] options can be provided.
+  * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
+    a server should wait when an [`'unknownProtocol'`][] event is emitted. If
+    the socket has not been destroyed by that time the server will destroy it.
+    **Default:** `10000`.
 * `listener` {Function} Will be registered as a one-time listener of the
   [`'connect'`][] event.
 * Returns: {ClientHttp2Session}
author	Daniel Bevenius <daniel.bevenius@gmail.com>	2021-01-22 12:34:21 +0100
committer	Richard Lau <rlau@redhat.com>	2021-02-22 17:16:43 +0000
commit	922ada77132c1b0b69c9a146822d762b2f9b912b (patch)
tree	6397bb70c2f15d38d100c5340462a71b0207a3ac /doc
parent	1564752d553f582c8048ee45614f870ee2a446c9 (diff)
download	node-new-922ada77132c1b0b69c9a146822d762b2f9b912b.tar.gz