writeHead supports an array of arrays containing header name and values.
Compatibility between http2 & http1 even though this is not documented.
Fixes: https://github.com/nodejs/node/issues/24466
PR-URL: https://github.com/nodejs/node/pull/24665
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
On Windows creating a symlink to a directory will not work unless extra
'dir' parameter is passed. This adds a check if link target is a
directory, and if so automatically use 'dir' when creating symlink.
PR-URL: https://github.com/nodejs/node/pull/23724
Refs: https://github.com/nodejs/node/pull/23691
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
This was essentially a typo that went unnoticed because we
didn’t have tests for this particular situation.
Fixes: https://github.com/nodejs/node/issues/24647
PR-URL: https://github.com/nodejs/node/pull/24654
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
vcbuild will build cctest only if it will be run, or for CI and
release builds
PR-URL: https://github.com/nodejs/node/pull/21408
Reviewed-By: João Reis <reis@janeasystems.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
I working at "Code and Learn" on Node fest 2018 in Japan.
Refs: https://github.com/nodejs/node/pull/24431
PR-URL: https://github.com/nodejs/node/pull/24624
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: Masashi Hirano <shisama07@gmail.com>
When testing fs.rename() of an non-existent file, use a destination path
which is in the same directory. Otherwise we might trigger an `EXDEV`
error if NODE_TEST_DIR is a separate device than the current working
directory.
Fixes: https://github.com/nodejs/node/issues/21669
PR-URL: https://github.com/nodejs/node/pull/24707
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This patch introduces a NativeModuleLoader::CompileAndCall that
can run a JS script under `lib/` as a function called
with a null receiver and arguments specified from the C++ layer.
Since all our bootstrappers are wrapped in functions in the
source to avoid leaking variables into the global scope anyway,
this allows us to remove that extra indentation in the JS source code.
As a start we move the compilation and execution of per_context.js
to NativeModuleLoader::CompileAndCall(). This patch also changes the
return value of NativeModuleLoader::LookupAndCompile() to a MaybeLocal
since the caller has to take care of the result being empty
anyway.
This patch reverts the previous design of having the
NativeModuleLoader::Compile() method magically know about the
parameters of the function - until we have tooling
in-place to guess the parameter names in the source with some
annotation, it's more readable to allow the caller to specify
the parameters along with the arguments values.
PR-URL: https://github.com/nodejs/node/pull/24660
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
process.on('somesignal', ...) semantics expect the process to catch the
signal and invoke the associated handler. `setupSignalHandlers` perform
the additional task of preparing the libuv signal handler and associate
it with the event handler. It is possible that by the time this is
setup there could be pre-existing registrations that pre-date this setup
in the boot sequence.
So rearm pre-existing signal event registrations to get upto speed.
Ref: https://github.com/nodejs/node/pull/22712#discussion_r232457318
PR-URL: https://github.com/nodejs/node/pull/24651
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
This patch:
- Refactors the Console constructor: moves the property binding code
into and the writable streams binding code into two methods defined
on the Console.prototype with symbols.
- Refactors the global console creation: we only need to share the
property binding code from the Console constructor. To bind the
streams we can lazy load `process.stdio` and `process.stderr`
so that we don't create these streams when they are not used.
This significantly reduces the number of modules loaded during
bootstrap. Also, by calling the refactored-out method directly
we can skip the unnecessary typechecks when creating the global
console and there is no need to create a temporary Console
anymore.
- Refactors the error handler creation and the `write` method:
use a `kUseStdout` symbol to tell the internals which stream
should be loaded from the console instance. Also put the
`write` method on the Console prototype so it just loads
other properties directly off the console instance which simplifies
the call sites.
Also leaves a few TODOs for further refactoring of the console
bootstrap.
PR-URL: https://github.com/nodejs/node/pull/24534
Reviewed-By: Gus Caplan <me@gus.host>
The error message validation in test-uv-binding-constant depends on the
JS engine. The text will be different in node-chakracore than in
V8-based versions of Node.js. Remove the message validation. Test that
it is a TypeError only. We should only validate error messages when we
control the contents of that error message (and not even necessarily
then, but that is a minimum requirement). V8 and other underlying
engines can change the error message at any time and that should not
require us to change our tests (as changing tests suggests a
semver-major change).
PR-URL: https://github.com/nodejs/node/pull/24666
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
In `test/parallel/test-child-process-env.js`, callbacks use
anonymous closure functions. It is safe to replace them with arrow
functions since these callbacks don't contain references to `this`,
`super` or `arguments`. This results in shorter functions.
PR-URL: https://github.com/nodejs/node/pull/24482
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
convert to Arrow Function and test by `./tools/test.py tick-processor`
PR-URL: https://github.com/nodejs/node/pull/24615
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Masashi Hirano <shisama07@gmail.com>
Revise the "Accepting Modifications" section of the Collaborator Guide.
PR-URL: https://github.com/nodejs/node/pull/24650
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
In lib/internal/streams/async_iterator.js, use arrow function for
callback.
PR-URL: https://github.com/nodejs/node/pull/24609
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ron Korving <ron@ronkorving.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
The processing of strings like `8.x` into a major version number and a
minor version number results in minor versions that are `NaN`. In that
situation, since the picker will link to the latest docs in the
major version, include the version in the version picker.
Fixes: https://github.com/nodejs/node/issues/23979
PR-URL: https://github.com/nodejs/node/pull/24638
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes:
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/156/
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes:
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/155/
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* Node.js: HTTP request splitting (CVE-2018-12116)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
(CVE-2018-5407)
Notable Changes:
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
* Two-byte characters are now strictly disallowed for the `path` option in
HTTP client requests. Paths containing characters outside of the range
`\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
can be reverted if necessary by supplying the
`--security-revert=CVE-2018-12116` command line argument (this is not
recommended). Reported as security concern for Node.js 6 and 8 by
Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
Fünfstück applied to Node.js 10 and later.
(CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/154
