http: do not allow OBS fold in headers by default

Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Fixes: https://hackerone.com/reports/2237099 PR-URL: https://github.com/nodejs-private/node-private/pull/556 CVE-ID: CVE-2024-27982
2025-04-28 13:40:37 +00:00 · 2024-03-14 16:45:42 +01:00 · 2024-03-14 16:45:42 +01:00 · 04e16463d1
commit 04e16463d1
parent b25b5aca96
7 changed files with 299 additions and 283 deletions
--- a/deps/llhttp/.gitignore
+++ b/deps/llhttp/.gitignore
@ -1 +0,0 @@
-libllhttp.pc
--- a/deps/llhttp/CMakeLists.txt
+++ b/deps/llhttp/CMakeLists.txt
@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.5.1)
 cmake_policy(SET CMP0069 NEW)

-project(llhttp VERSION 9.2.0)
+project(llhttp VERSION 9.2.1)
 include(GNUInstallDirs)

 set(CMAKE_C_STANDARD 99)
--- a/deps/llhttp/README.md
+++ b/deps/llhttp/README.md
@ -397,7 +397,7 @@ With this flag this check is disabled.
 Make sure you have [Node.js](https://nodejs.org/), npm and npx installed. Then under project directory run:

 ```sh
-npm install
+npm ci
 make
 ```

@ -451,7 +451,7 @@ _Note that using the git repo directly (e.g., via a git repo url and tag) will n

 1. Ensure that `Clang` and `make` are in your system path.
 2. Using Git Bash, clone the repo to your preferred location.
-3. Cd into the cloned directory and run `npm install`
+3. Cd into the cloned directory and run `npm ci`
 5. Run `make`
 6. Your `repo/build` directory should now have `libllhttp.a` and `libllhttp.so` static and dynamic libraries.
 7. When building your executable, you can link to these libraries. Make sure to set the build folder as an include path when building so you can reference the declarations in `repo/build/llhttp.h`.
--- a/deps/llhttp/include/llhttp.h
+++ b/deps/llhttp/include/llhttp.h
@ -4,7 +4,7 @@

 #define LLHTTP_VERSION_MAJOR 9
 #define LLHTTP_VERSION_MINOR 2
-#define LLHTTP_VERSION_PATCH 0
+#define LLHTTP_VERSION_PATCH 1

 #ifndef INCLUDE_LLHTTP_ITSELF_H_
 #define INCLUDE_LLHTTP_ITSELF_H_
--- a/deps/llhttp/src/llhttp.c
+++ b/deps/llhttp/src/llhttp.c
--- a/test/parallel/test-http-multi-line-headers.js
+++ b/test/parallel/test-http-multi-line-headers.js
@ -46,7 +46,8 @@ const server = net.createServer(function(conn) {
 server.listen(0, common.mustCall(function() {
  http.get({
    host: '127.0.0.1',
-    port: this.address().port
+    port: this.address().port,
+    insecureHTTPParser: true
  }, common.mustCall(function(res) {
    assert.strictEqual(res.headers['content-type'],
                       'text/plain; x-unix-mode=0600; name="hello.txt"');
--- a/test/parallel/test-http-transfer-encoding-smuggling.js
+++ b/test/parallel/test-http-transfer-encoding-smuggling.js
@ -71,10 +71,7 @@ const net = require('net');
    '',
  ].join('\r\n');

-  const server = http.createServer(common.mustCall((request, response) => {
-    assert.notStrictEqual(request.url, '/admin');
-    response.end('hello world');
-  }), 1);
+  const server = http.createServer(common.mustNotCall());

  server.listen(0, common.mustSucceed(() => {
    const client = net.connect(server.address().port, 'localhost');