delta/node-new.git - github.com: nodejs/node.git

	Commit message (Collapse)	Author	Age	Files	Lines
*	http2: remove security revert flags	Anna Henningsen	2019-08-18	1	-6/+0
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	As the comment in `node_revert.h` indicates, the master branch should not provide security revert flags. Refs: https://github.com/nodejs/node/pull/29122 PR-URL: https://github.com/nodejs/node/pull/29141 Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Gus Caplan <me@gus.host> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
*	http2: allow security revert for Ping/Settings Flood	Anna Henningsen	2019-08-15	1	-0/+1
\| \| \| \| \| \| \| \| \| \| \|	nghttp2 has updated its limit for outstanding Ping/Settings ACKs to 1000. This commit allows reverting to the old default of 10000. The associated CVEs are CVE-2019-9512/CVE-2019-9515. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
*	http2: consider 0-length non-end DATA frames an error	Anna Henningsen	2019-08-15	1	-0/+1
\| \| \| \| \| \| \| \|	This is intended to mitigate CVE-2019-9518. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
*	http2: handle 0-length headers better	Anna Henningsen	2019-08-15	1	-0/+1
\| \| \| \| \| \| \| \| \| \| \|	Ignore headers with 0-length names and track memory for headers the way we track it for other HTTP/2 session memory too. This is intended to mitigate CVE-2019-9516. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
*	http2: limit number of rejected stream openings	Anna Henningsen	2019-08-15	1	-1/+4
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Limit the number of streams that are rejected upon creation. Since each such rejection is associated with an `NGHTTP2_ENHANCE_YOUR_CALM` error that should tell the peer to not open any more streams, continuing to open streams should be read as a sign of a misbehaving peer. The limit is currently set to 100 but could be changed or made configurable. This is intended to mitigate CVE-2019-9514. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
*	src: pass along errors from `--security-reverts`	Anna Henningsen	2019-01-22	1	-3/+4
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Pass along errors from `Revert()` when a security revert is unknown (which currently applies to all possible values). Previously, we would unconditionally call `exit()`, which is not nice for embedding use cases, and could crash because we were holding a lock for a mutex in `ProcessGlobalArgs()` that would be destroyed by calling `exit()`. Also, add a regression test that makes sure that the process exits with the right exit code and not a crash. PR-URL: https://github.com/nodejs/node/pull/25466 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
*	src: move per-process global variables into node::per_process	Joyee Cheung	2019-01-08	1	-3/+5
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	So that it's easier to tell whether we are manipulating per-process global states that may need to be treated with care to avoid races. Also added comments about these variables and moved some of them to a more suitable compilation unit: - Move `v8_initialized` to `util.h` since it's only used in `util.cc` and `node.cc` - Rename `process_mutex` to `tty_mutex` and move it into `node_errors.cc` since that's the only place it's used to guard the tty. - Move `per_process_opts_mutex` and `per_process_opts` into `node_options.h` and rename them to `per_process::cli_options[_mutex]` - Rename `node_isolate[_mutex]` to `per_process::main_isolate[_mutex]` PR-URL: https://github.com/nodejs/node/pull/25302 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
*	meta: merge TSC and CTC back into a single body	James M Snell	2017-08-29	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \| \|	PR-URL: https://github.com/nodejs/node/pull/14973 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
*	src: minor cleanup for node_revert	James M Snell	2017-08-18	1	-22/+43
\| \| \| \| \| \| \| \| \|	Make the revert related functions inline to eliminate the need for node_revert.cc, prefix the constants and the def, other misc cleanup PR-URL: https://github.com/nodejs/node/pull/14864 Reviewed-By: Anna Henningsen <anna@addaleax.net>
*	src: add include guards to internal headers	Ben Noordhuis	2016-05-25	1	-0/+4
\| \| \| \| \| \| \| \| \| \| \|	For consistency with the newly added src/base64.h header, check that NODE_WANT_INTERNALS is defined and set in internal headers. PR-URL: https://github.com/nodejs/node/pull/6948 Refs: https://github.com/nodejs/node/pull/6910 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com>
*	src: add --security-revert command line flag	James M Snell	2016-02-09	1	-0/+44
	The `--security-revert={cvenum}` command line flag is a special purpose flag to be used only in stable or LTS branches when a breaking change is required to address a security vulnerability. Whenever a vulnerability requires a breaking change, and a CVE has been assigned, the flag can be used to force Node to revert to the insecure behavior that was implemented before the fix was applied. Note that this flag is intended to be used only as a last resort in the case a security update breaks existing code. When used, a security warning will be printed to stderr when Node launches. The `--security-revert={cvenum}` flag takes a single CVE number as an argument. Multiple instances of the `--security-revert={cvenum}` flag can be used on the command line to revert multiple changes. Whenever a new `--security-revert={cvenum}` is enabled, it should be documented in the release notes and in the API docs. Master and the first release of a new major (e.g. v6.0) should not have any reverts available. Every time a new `--security-revert={cvenum}` is added, there should be a semver-minor bump in the stable and LTS branch. PR-URL: https://github.com/nodejs/node-private/pull/26 Reviewed-By: Rod Vagg <r@va.gg> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>