diff options
| author | James M Snell <jasnell@gmail.com> | 2020-04-27 10:47:58 -0700 |
|---|---|---|
| committer | Michaƫl Zasso <targos@protonmail.com> | 2020-06-02 20:35:51 +0200 |
| commit | 3948830ce6408be620b09a70bf66158623022af0 (patch) | |
| tree | f13e62ac0028186ec7e9d91cb344f33e95f05bd2 /doc | |
| parent | d3beb50da3b93cc26cb2ba2fadf66d74138a6afa (diff) | |
| download | node-new-3948830ce6408be620b09a70bf66158623022af0.tar.gz | |
http2: implement support for max settings entries
Adds the maxSettings option to limit the number of settings
entries allowed per SETTINGS frame. Default 32
Fixes: https://hackerone.com/reports/446662
CVE-ID: CVE-2020-11080
PR-URL: https://github.com/nodejs-private/node-private/pull/204
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/api/http2.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/doc/api/http2.md b/doc/api/http2.md index 7f61bc54eb..21385af1b5 100644 --- a/doc/api/http2.md +++ b/doc/api/http2.md @@ -2001,6 +2001,9 @@ value only affects new connections to the server, not any existing connections. <!-- YAML added: v8.4.0 changes: + - version: REPLACEME + pr-url: https://github.com/nodejs-private/node-private/pull/204 + description: Added `maxSettings` option with a default of 32. - version: - v13.3.0 - v12.16.0 @@ -2037,6 +2040,8 @@ changes: * `options` {Object} * `maxDeflateDynamicTableSize` {number} Sets the maximum dynamic table size for deflating header fields. **Default:** `4Kib`. + * `maxSettings` {number} Sets the maximum number of settings entries per + `SETTINGS` frame. The minimum value allowed is `1`. **Default:** `32`. * `maxSessionMemory`{number} Sets the maximum memory that the `Http2Session` is permitted to use. The value is expressed in terms of number of megabytes, e.g. `1` equal 1 megabyte. The minimum value allowed is `1`. @@ -2132,6 +2137,9 @@ server.listen(80); <!-- YAML added: v8.4.0 changes: + - version: REPLACEME + pr-url: https://github.com/nodejs-private/node-private/pull/204 + description: Added `maxSettings` option with a default of 32. - version: - v13.3.0 - v12.16.0 @@ -2168,6 +2176,8 @@ changes: **Default:** `false`. * `maxDeflateDynamicTableSize` {number} Sets the maximum dynamic table size for deflating header fields. **Default:** `4Kib`. + * `maxSettings` {number} Sets the maximum number of settings entries per + `SETTINGS` frame. The minimum value allowed is `1`. **Default:** `32`. * `maxSessionMemory`{number} Sets the maximum memory that the `Http2Session` is permitted to use. The value is expressed in terms of number of megabytes, e.g. `1` equal 1 megabyte. The minimum value allowed is `1`. This is a @@ -2250,6 +2260,9 @@ server.listen(80); <!-- YAML added: v8.4.0 changes: + - version: REPLACEME + pr-url: https://github.com/nodejs-private/node-private/pull/204 + description: Added `maxSettings` option with a default of 32. - version: v13.0.0 pr-url: https://github.com/nodejs/node/pull/29144 description: The `PADDING_STRATEGY_CALLBACK` has been made equivalent to @@ -2273,6 +2286,8 @@ changes: * `options` {Object} * `maxDeflateDynamicTableSize` {number} Sets the maximum dynamic table size for deflating header fields. **Default:** `4Kib`. + * `maxSettings` {number} Sets the maximum number of settings entries per + `SETTINGS` frame. The minimum value allowed is `1`. **Default:** `32`. * `maxSessionMemory`{number} Sets the maximum memory that the `Http2Session` is permitted to use. The value is expressed in terms of number of megabytes, e.g. `1` equal 1 megabyte. The minimum value allowed is `1`. |