Currently it is not possible to inspect getters. To prevent any side
effects this should not become a default but under lots of
circumstances it would still be useful to inspect getters. This way
it is possible to actively opt into inspecting those.
PR-URL: https://github.com/nodejs/node/pull/24852
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
The only known condition where we could not provide appropriate
stdio streams so far were non-console Windows applications.
Since this issue has come up a few times in our issue tracker now,
switch to providing dummy streams for these cases instead.
If there are other valid cases in which `uv_guess_handle` fails,
and where there is a more sensible way to provide stdio,
we’ll probably still find out because the streams don’t work
properly either way.
Refs: https://github.com/nodejs/help/issues/1251
PR-URL: https://github.com/nodejs/node/pull/20640
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Fill in correct pr-url: value in the YAML changelog that was missing
from f512f5ea. The stanza was also sorted in the wrong order, most
recent is supposed to be in the beginning of the changes, not the end.
PR-URL: https://github.com/nodejs/node/pull/24759
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
The `console` functions rely on the `util.format()` behavior. It
did not follow the whatwg spec when it comes to symbols in combination
with the %d, %i and %f format specifiers. Using a symbol argument in
combination with one of these specifiers resulted in an error instead
of returning `'NaN'`. This is now fixed by this patch.
PR-URL: https://github.com/nodejs/node/pull/23708
Refs: https://console.spec.whatwg.org/#formatter
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes:
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/156/
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes:
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/155/
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* Node.js: HTTP request splitting (CVE-2018-12116)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
(CVE-2018-5407)
Notable Changes:
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* Two-byte characters are now strictly disallowed for the `path` option in
HTTP client requests. Paths containing characters outside of the range
`\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
can be reverted if necessary by supplying the
`--security-revert=CVE-2018-12116` command line argument (this is not
recommended). Reported as security concern for Node.js 6 and 8 by
Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
Fünfstück applied to Node.js 10 and later.
(CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/154
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Debugger port 5858 listens on any interface by default
(CVE-2018-12120)
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* Node.js: HTTP request splitting (CVE-2018-12116)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
(CVE-2018-5407)
Notable Changes:
* debugger: Backport of https://github.com/nodejs/node/pull/8106 to
prevent the debugger from listening on `0.0.0.0`. It now defaults to
`127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
(CVE-2018-12122 / Matteo Collina)
* Two-byte characters are now strictly disallowed for the `path` option in
HTTP client requests. Paths containing characters outside of the range
`\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
can be reverted if necessary by supplying the
`--security-revert=CVE-2018-12116` command line argument (this is not
recommended). Reported as security concern for Node.js 6 and 8 by
Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
Fünfstück applied to Node.js 10 and later.
(CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing
URLs with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/153
CVE-2018-12122
An attacker can send a char/s within headers and exahust the resources
(file descriptors) of a system even with a tight max header length
protection. This PR destroys a socket if it has not received the headers
in 40s.
PR-URL: https://github.com/nodejs-private/node-private/pull/144
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.
PR-URL: https://github.com/nodejs/node/pull/24405
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
For TCP servers, the dual-stack support is enable by default, i.e.
binding host "::" will also make "0.0.0.0" bound. This commit add
ipv6Only option in `net.Server.listen()` and `dgram.createSocket()`
methods which allows to disable dual-stack support. Support for
cluster module is also provided in this commit.
Fixes: https://github.com/nodejs/node/issues/17664
PR-URL: https://github.com/nodejs/node/pull/23798
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
