OSSForks/node
1
0
Fork 0
mirror of https://github.com/zebrajr/node.git synced 2026-01-15 12:15:26 +00:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

http,https: protect against slow headers attack

Browse Source 
CVE-2018-12122

An attacker can send a char/s within headers and exahust the resources
(file descriptors) of a system even with a tight max header length
protection. This PR destroys a socket if it has not received the headers
in 40s.

PR-URL: https://github.com/nodejs-private/node-private/pull/144
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit is contained in:
Matteo Collina
2018-08-23 16:46:07 +02:00
committed by Rod Vagg
parent 7bfcfc2ffe
commit ee618a7ab2
8 changed files with 183 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/https.js
View File

@@ -74,6 +74,7 @@ function Server(opts, requestListener) {
this.timeout = 2 * 60 * 1000;
this.keepAliveTimeout = 5000;
this.maxHeadersCount = null;
this.headersTimeout = 40 * 1000; // 40 seconds
}
inherits(Server, tls.Server);