From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id WLGSIszfbWP+ewAAbAwnHQ (envelope-from ) for ; Fri, 11 Nov 2022 06:38:20 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id ADCpIczfbWOa4gAAG6o9tA (envelope-from ) for ; Fri, 11 Nov 2022 06:38:20 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 27A1329179 for ; Fri, 11 Nov 2022 06:38:20 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1otMjt-0007OK-Ir; Fri, 11 Nov 2022 00:38:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1otMjs-0007Nb-5c for guix-patches@gnu.org; Fri, 11 Nov 2022 00:38:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1otMjq-0003Px-4w for guix-patches@gnu.org; Fri, 11 Nov 2022 00:38:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1otMjp-0003kg-UW for guix-patches@gnu.org; Fri, 11 Nov 2022 00:38:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#59188] [PATCH 2/4] gnu: llhttp-bootstrap: Update to 6.0.10. Resent-From: Hilton Chain Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 11 Nov 2022 05:38:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59188 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 59188@debbugs.gnu.org Received: via spool by 59188-submit@debbugs.gnu.org id=B59188.166814503514338 (code B ref 59188); Fri, 11 Nov 2022 05:38:01 +0000 Received: (at 59188) by debbugs.gnu.org; 11 Nov 2022 05:37:15 +0000 Received: from localhost ([127.0.0.1]:44865 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1otMj5-0003jB-1N for submit@debbugs.gnu.org; Fri, 11 Nov 2022 00:37:15 -0500 Received: from mail.boiledscript.com ([144.168.59.46]:60002) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1otMj2-0003iy-Ib for 59188@debbugs.gnu.org; Fri, 11 Nov 2022 00:37:13 -0500 Date: Fri, 11 Nov 2022 13:36:44 +0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ultrarare.space; s=dkim; t=1668145026; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Nt0XDhBl4b1d9p7IR3qcKznTKx+BRAza5fynxVmXT+E=; b=pqDdubAYIxJ3E32MwQPUjqn2cTqUfoSyVasM7wYuyHEdCY6lUfFxGJHrBur+n6STet9cHT B0RrVDIRNuDHjMB8ipHjgZxdgIJVrXrfSparhwcoDsNqgjrPwswM99iByjAXJJROZBH0gW gZcsgglda2M+s9ZKWdGqPNIabStoviLCAojgSQf5ep/Nx6U5W2anYndZH4rZlGIZe4iO4j uWM6twEwIxDis4Yupa0Ic4gcbR/wmp+MkkH68QWR8cmg6Xbry+Ird5AaDQbwKEbw5jkyVa iWjpPpgPzSdyb46D0VJ+AEuYPyw4m/0dmelSaD/dRPaZovUeua+ZuudjVnX4DA== Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit X-Spamd-Bar: / X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Hilton Chain X-ACL-Warn: , Hilton Chain via Guix-patches From: Hilton Chain via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1668145100; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Nt0XDhBl4b1d9p7IR3qcKznTKx+BRAza5fynxVmXT+E=; b=g5K0HbL3gp4Xxp2WTyLMifLvqKoHkhAA2wYufjprJPzTaUsC06mYwOrEiJZU0EVxCGWoTi yYPT9vntJwl1YNKkOdv+f7NnxG/5oKwC+IFjEDgVkkgM/juTYH+Gk8r0bcyZScq2+HeB2T IEMC6ydhq5T1aYXy9gNtzAnVAwiW1Iv9OpzS6yBkX76Nnw8MHUKaCFBpX9Luwmshxb2R91 +M7ClBx6buR3eIJpM6zN5KbwnD4l+dBJ+JOY7D/xRL4jUpJI3JKgyX8Y4aLsOIFCjOy6O0 6yAG9qq/+GlMBzJFBL+5O401e8j57h7QwyAOAAcNYtPW1DaCy3tinDkk0fumCw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1668145100; a=rsa-sha256; cv=none; b=le6EedBN+RgwhfkKl9GBs3kJJrHaFjuvZDcwuy9MnY6JDMcqQHtaIO78FxFrDbP5yDghB4 z8MQre7q0b9b6wCBLpAUckONSk0v9mUkCeLgjwCb1ktCWX5m8qvinBzyHlRC3FOvC0uoT0 KuvBaNyKM8wDzTjSttSMNSNwXglhoyLxyS/yUF073DsR3i3lZ8kzsefMtCq4mYVy4zt34K jX5qNAh7klWdY2zIrw1DHhWOLLB168Uz6fnHUm4PbAsLZpBbOLebce6YkBXkMSAwDtMRoL mXzqeFEXC9f9AiCrKlQyXbezSZyzXIe++18SEHdU8lowRUCarr4G9/kg7eD3kQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=ultrarare.space header.s=dkim header.b=pqDdubAY; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.52 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=ultrarare.space header.s=dkim header.b=pqDdubAY; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 27A1329179 X-Spam-Score: -3.52 X-Migadu-Scanner: scn1.migadu.com X-TUID: Zz1UlnZoP6ai * gnu/packages/node.scm (llhttp-bootstrap): Update to 6.0.10. * gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch: Remove file. * gnu/local.mk: Remove it. --- gnu/local.mk | 1 - gnu/packages/node.scm | 5 +- .../llhttp-bootstrap-CVE-2020-8287.patch | 100 ------------------ 3 files changed, 2 insertions(+), 104 deletions(-) delete mode 100644 gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch diff --git a/gnu/local.mk b/gnu/local.mk index 27b31ea27f..1c4b9def96 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1480,7 +1480,6 @@ dist_patch_DATA = \ %D%/packages/patches/linuxdcpp-openssl-1.1.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/lirc-reproducible-build.patch \ - %D%/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch \ %D%/packages/patches/llvm-3.5-fix-clang-build-with-gcc5.patch \ %D%/packages/patches/llvm-3.6-fix-build-with-gcc-10.patch \ %D%/packages/patches/llvm-3.x.1-fix-build-with-gcc.patch \ diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm index 4e9daa522d..0af0158f45 100644 --- a/gnu/packages/node.scm +++ b/gnu/packages/node.scm @@ -666,7 +666,7 @@ (define-public node-llparse-bootstrap (define-public llhttp-bootstrap (package (name "llhttp") - (version "2.1.4") + (version "6.0.10") (source (origin (method git-fetch) (uri (git-reference @@ -675,8 +675,7 @@ (define-public llhttp-bootstrap (file-name (git-file-name name version)) (sha256 (base32 - "115mwyds9655p76lhglxg2blc1ksgrix6zhigaxnc2q6syy3pa6x")) - (patches (search-patches "llhttp-bootstrap-CVE-2020-8287.patch")) + "0izwqa77y007xdi0bj3ccw821n19rz89mz4hx4lg99fwkwylr6x8")) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch b/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch deleted file mode 100644 index 215c920e53..0000000000 --- a/gnu/packages/patches/llhttp-bootstrap-CVE-2020-8287.patch +++ /dev/null @@ -1,100 +0,0 @@ -This patch comes from upstream. It corresponds to a patch applied to -the generated C source code for llhttp included in Node.js 14.16.0 -(see commit 641f786bb1a1f6eb1ff8750782ed939780f2b31a). That commit -fixes CVE-2020-8287. With this patch, the output of our -llhttp-bootstrap package matches the files included in Node.js 14.16.0 -exactly. - -commit e9b36ea64709c35ca66094d5cf3787f444029601 -Author: Fedor Indutny -Date: Sat Oct 10 19:56:01 2020 -0700 - - http: unset `F_CHUNKED` on new `Transfer-Encoding` - - Duplicate `Transfer-Encoding` header should be a treated as a single, - but with original header values concatenated with a comma separator. In - the light of this, even if the past `Transfer-Encoding` ended with - `chunked`, we should be not let the `F_CHUNKED` to leak into the next - header, because mere presence of another header indicates that `chunked` - is not the last transfer-encoding token. - -diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts -index f4f1a6e..0a0c365 100644 ---- a/src/llhttp/http.ts -+++ b/src/llhttp/http.ts -@@ -460,11 +460,19 @@ export class HTTP { - .match([ ' ', '\t' ], n('header_value_discard_ws')) - .otherwise(checkContentLengthEmptiness); - -+ // Multiple `Transfer-Encoding` headers should be treated as one, but with -+ // values separate by a comma. -+ // -+ // See: https://tools.ietf.org/html/rfc7230#section-3.2.2 -+ const toTransferEncoding = this.unsetFlag( -+ FLAGS.CHUNKED, -+ 'header_value_te_chunked'); -+ - n('header_value_start') - .otherwise(this.load('header_state', { - [HEADER_STATE.UPGRADE]: this.setFlag(FLAGS.UPGRADE, fallback), - [HEADER_STATE.TRANSFER_ENCODING]: this.setFlag( -- FLAGS.TRANSFER_ENCODING, 'header_value_te_chunked'), -+ FLAGS.TRANSFER_ENCODING, toTransferEncoding), - [HEADER_STATE.CONTENT_LENGTH]: n('header_value_content_length_once'), - [HEADER_STATE.CONNECTION]: n('header_value_connection'), - }, 'header_value')); -@@ -847,6 +855,11 @@ export class HTTP { - return span.start(span.end(this.node(next))); - } - -+ private unsetFlag(flag: FLAGS, next: string | Node): Node { -+ const p = this.llparse; -+ return p.invoke(p.code.and('flags', ~flag), this.node(next)); -+ } -+ - private setFlag(flag: FLAGS, next: string | Node): Node { - const p = this.llparse; - return p.invoke(p.code.or('flags', flag), this.node(next)); -diff --git a/test/request/transfer-encoding.md b/test/request/transfer-encoding.md -index a7d1681..b0891d6 100644 ---- a/test/request/transfer-encoding.md -+++ b/test/request/transfer-encoding.md -@@ -353,6 +353,38 @@ off=106 headers complete method=3 v=1/1 flags=200 content_length=0 - off=106 error code=15 reason="Request has invalid `Transfer-Encoding`" - ``` - -+## POST with `chunked` and duplicate transfer-encoding -+ -+ -+```http -+POST /post_identity_body_world?q=search#hey HTTP/1.1 -+Accept: */* -+Transfer-Encoding: chunked -+Transfer-Encoding: deflate -+ -+World -+``` -+ -+```log -+off=0 message begin -+off=5 len=38 span[url]="/post_identity_body_world?q=search#hey" -+off=44 url complete -+off=54 len=6 span[header_field]="Accept" -+off=61 header_field complete -+off=62 len=3 span[header_value]="*/*" -+off=67 header_value complete -+off=67 len=17 span[header_field]="Transfer-Encoding" -+off=85 header_field complete -+off=86 len=7 span[header_value]="chunked" -+off=95 header_value complete -+off=95 len=17 span[header_field]="Transfer-Encoding" -+off=113 header_field complete -+off=114 len=7 span[header_value]="deflate" -+off=123 header_value complete -+off=125 headers complete method=3 v=1/1 flags=200 content_length=0 -+off=125 error code=15 reason="Request has invalid `Transfer-Encoding`" -+``` -+ - ## POST with `chunked` before other transfer-coding (lenient) - - TODO(indutny): should we allow it even in lenient mode? (Consider disabling -- 2.38.1