mirror of
https://github.com/nodejs/node.git
synced 2025-05-01 17:03:34 +00:00
b4cfa521b8
Ignore headers with 0-length names and track memory for headers the way we track it for other HTTP/2 session memory too. This is intended to mitigate CVE-2019-9516. PR-URL: https://github.com/nodejs/node/pull/29122 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
26 lines
691 B
JavaScript
26 lines
691 B
JavaScript
'use strict';
|
|
const common = require('../common');
|
|
if (!common.hasCrypto)
|
|
common.skip('missing crypto');
|
|
|
|
const assert = require('assert');
|
|
const http2 = require('http2');
|
|
|
|
const server = http2.createServer();
|
|
server.on('stream', (stream, headers) => {
|
|
assert.deepStrictEqual(headers, {
|
|
':scheme': 'http',
|
|
':authority': `localhost:${server.address().port}`,
|
|
':method': 'GET',
|
|
':path': '/',
|
|
'bar': '',
|
|
'__proto__': null
|
|
});
|
|
stream.session.destroy();
|
|
server.close();
|
|
});
|
|
server.listen(0, common.mustCall(() => {
|
|
const client = http2.connect(`http://localhost:${server.address().port}/`);
|
|
client.request({ ':path': '/', '': 'foo', 'bar': '' }).end();
|
|
}));
|