Skip to content

Fix: Potential Vulnerability in HTTP Parser Implementation #4297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
yannaingtun wants to merge 5 commits into from
Closed

Fix: Potential Vulnerability in HTTP Parser Implementation #4297

yannaingtun wants to merge 5 commits into from

Conversation

@yannaingtun
Copy link

@yannaingtun yannaingtun commented Feb 27, 2025

Description
This PR fixes a security vulnerability in http_parser_execute() that was cloned from node but did not receive the security patch. The original issue was reported and fixed under nodejs/node@fc70ce0. This PR applies the same patch to eliminate the vulnerability.

References

@yannaingtun
Fix HTTP parser vulnerability to prevent request smuggling
1337951 
This patch addresses an HTTP request smuggling vulnerability by:
1. Adding allow_chunked_length parameter
2. Properly handling multiple Transfer-Encoding headers
3. Implementing RFC 7230 Section 3.3.3 checks for Transfer-Encoding and Content-Length conflicts

Based on fix: nodejs/node@fc70ce0
@winlinvip winlinvip added the EnglishNative This issue is conveyed exclusively in English. label Feb 27, 2025
@duiniuluantanqin
Copy link
Member

duiniuluantanqin commented Feb 28, 2025
edited by winlinvip
Loading

Please resolve the errors in the pipeline first.

TRANS_BY_GPT4

@winlinvip winlinvip force-pushed the develop branch 2 times, most recently from 195435d to 97e2b64 Compare July 1, 2025 14:39
@winlinvip
Copy link
Member

winlinvip commented Aug 12, 2025

Thank you, but the PR has been closed for too long a time.

@winlinvip winlinvip closed this Aug 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

EnglishNative This issue is conveyed exclusively in English.

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yannaingtun @duiniuluantanqin @winlinvip