diff --git a/SOURCES/0001-fix-Do-not-allow-OBS-fold-in-headers-by-default.patch b/SOURCES/0001-fix-Do-not-allow-OBS-fold-in-headers-by-default.patch new file mode 100644 index 0000000..3edc420 --- /dev/null +++ b/SOURCES/0001-fix-Do-not-allow-OBS-fold-in-headers-by-default.patch @@ -0,0 +1,198 @@ +From ebfb5d982de56d8bbc87db8448e8d35a883202d3 Mon Sep 17 00:00:00 2001 +From: Paolo Insogna +Date: Tue, 29 Oct 2024 09:29:50 +0000 +Subject: [PATCH] fix: Do not allow OBS fold in headers by default. + +Upstream backport: https://github.com/nodejs/llhttp/pull/348 +--- + src/llhttp/http.ts | 13 +++-- + test/request/connection.md | 4 +- + test/request/invalid.md | 85 ++++++++++++++++++++++++++++++ + test/request/sample.md | 2 +- + test/request/transfer-encoding.md | 2 +- + test/response/transfer-encoding.md | 2 +- + 6 files changed, 98 insertions(+), 10 deletions(-) + +diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts +index d0bfd48..40eff4c 100644 +--- a/src/llhttp/http.ts ++++ b/src/llhttp/http.ts +@@ -827,11 +827,14 @@ export class HTTP { + 'Missing expected LF after header value')); + + n('header_value_lws') +- .peek([ ' ', '\t' ], +- this.load('header_state', { +- [HEADER_STATE.TRANSFER_ENCODING_CHUNKED]: +- this.resetHeaderState(span.headerValue.start(n('header_value_start'))), +- }, span.headerValue.start(n('header_value_start')))) ++ .peek( ++ [ ' ', '\t' ], ++ this.testLenientFlags(LENIENT_FLAGS.HEADERS, { ++ 1: this.load('header_state', { ++ [HEADER_STATE.TRANSFER_ENCODING_CHUNKED]: ++ this.resetHeaderState(span.headerValue.start(n('header_value_start'))), ++ }, span.headerValue.start(n('header_value_start'))), ++ }, p.error(ERROR.INVALID_HEADER_TOKEN, 'Unexpected whitespace after header value'))) + .otherwise(this.setHeaderFlags(onHeaderValueComplete)); + + const checkTrailing = this.testFlags(FLAGS.TRAILING, { +diff --git a/test/request/connection.md b/test/request/connection.md +index a03242e..68ed3e0 100644 +--- a/test/request/connection.md ++++ b/test/request/connection.md +@@ -374,7 +374,7 @@ off=75 message complete + + ### Multiple tokens with folding + +- ++ + ```http + GET /demo HTTP/1.1 + Host: example.com +@@ -465,7 +465,7 @@ off=75 error code=22 reason="Pause on CONNECT/Upgrade" + + ### Multiple tokens with folding, LWS, and CRLF + +- ++ + ```http + GET /demo HTTP/1.1 + Connection: keep-alive, \r\n upgrade +diff --git a/test/request/invalid.md b/test/request/invalid.md +index 8eadacf..0d3b36e 100644 +--- a/test/request/invalid.md ++++ b/test/request/invalid.md +@@ -583,4 +583,89 @@ off=122 len=3 span[header_value]="ghi" + off=126 header_value complete + off=127 chunk complete + off=127 message complete ++``` ++ ++### Spaces before headers ++ ++ ++ ++```http ++POST /hello HTTP/1.1 ++Host: localhost ++Foo: bar ++ Content-Length: 38 ++ ++GET /bye HTTP/1.1 ++Host: localhost ++ ++ ++``` ++ ++```log ++off=0 message begin ++off=0 len=4 span[method]="POST" ++off=4 method complete ++off=5 len=6 span[url]="/hello" ++off=12 url complete ++off=17 len=3 span[version]="1.1" ++off=20 version complete ++off=22 len=4 span[header_field]="Host" ++off=27 header_field complete ++off=28 len=9 span[header_value]="localhost" ++off=39 header_value complete ++off=39 len=3 span[header_field]="Foo" ++off=43 header_field complete ++off=44 len=3 span[header_value]="bar" ++off=49 error code=10 reason="Unexpected whitespace after header value" ++``` ++ ++### Spaces before headers (lenient) ++ ++ ++ ++```http ++POST /hello HTTP/1.1 ++Host: localhost ++Foo: bar ++ Content-Length: 38 ++ ++GET /bye HTTP/1.1 ++Host: localhost ++ ++ ++``` ++ ++```log ++off=0 message begin ++off=0 len=4 span[method]="POST" ++off=4 method complete ++off=5 len=6 span[url]="/hello" ++off=12 url complete ++off=17 len=3 span[version]="1.1" ++off=20 version complete ++off=22 len=4 span[header_field]="Host" ++off=27 header_field complete ++off=28 len=9 span[header_value]="localhost" ++off=39 header_value complete ++off=39 len=3 span[header_field]="Foo" ++off=43 header_field complete ++off=44 len=3 span[header_value]="bar" ++off=49 len=19 span[header_value]=" Content-Length: 38" ++off=70 header_value complete ++off=72 headers complete method=3 v=1/1 flags=0 content_length=0 ++off=72 message complete ++off=72 reset ++off=72 message begin ++off=72 len=3 span[method]="GET" ++off=75 method complete ++off=76 len=4 span[url]="/bye" ++off=81 url complete ++off=86 len=3 span[version]="1.1" ++off=89 version complete ++off=91 len=4 span[header_field]="Host" ++off=96 header_field complete ++off=97 len=9 span[header_value]="localhost" ++off=108 header_value complete ++off=110 headers complete method=1 v=1/1 flags=0 content_length=0 ++off=110 message complete + ``` +\ No newline at end of file +diff --git a/test/request/sample.md b/test/request/sample.md +index f0a5d44..de2ceb9 100644 +--- a/test/request/sample.md ++++ b/test/request/sample.md +@@ -540,7 +540,7 @@ off=61 message complete + + See nodejs/test/parallel/test-http-headers-obstext.js + +- ++ + ```http + GET / HTTP/1.1 + X-SSL-Nonsense: -----BEGIN CERTIFICATE----- +diff --git a/test/request/transfer-encoding.md b/test/request/transfer-encoding.md +index 0f839bc..b1b523d 100644 +--- a/test/request/transfer-encoding.md ++++ b/test/request/transfer-encoding.md +@@ -893,7 +893,7 @@ off=51 error code=12 reason="Invalid character in chunk size" + + ## Invalid OBS fold after chunked value + +- ++ + ```http + PUT /url HTTP/1.1 + Transfer-Encoding: chunked +diff --git a/test/response/transfer-encoding.md b/test/response/transfer-encoding.md +index e1fd10a..0f54c72 100644 +--- a/test/response/transfer-encoding.md ++++ b/test/response/transfer-encoding.md +@@ -370,7 +370,7 @@ off=101 error code=2 reason="Invalid character in chunk extensions quoted value" + + ## Invalid OBS fold after chunked value + +- ++ + ```http + HTTP/1.1 200 OK + Transfer-Encoding: chunked +-- +2.47.0 + diff --git a/SPECS/llhttp.spec b/SPECS/llhttp.spec index 4ad472e..5725541 100644 --- a/SPECS/llhttp.spec +++ b/SPECS/llhttp.spec @@ -1,8 +1,8 @@ ## START: Set by rpmautospec -## (rpmautospec version 0.6.1) +## (rpmautospec version 0.6.5) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 7; + release_number = 2; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} @@ -38,7 +38,7 @@ Name: llhttp Version: 9.1.3 %global so_version 9.1 -Release: %autorelease +Release: %autorelease -b 8 Summary: Port of http_parser to llparse # License of llhttp is (SPDX) MIT; nothing from the NodeJS dependency bundle is @@ -87,6 +87,8 @@ BuildRequires: askalono-cli BuildRequires: licensecheck %endif +Patch: 0001-fix-Do-not-allow-OBS-fold-in-headers-by-default.patch + %description This project is a port of http_parser to TypeScript. llparse is used to generate the output C source file, which could be compiled and linked with the @@ -104,7 +106,7 @@ developing applications that use llhttp. %prep -%autosetup +%autosetup -p1 # Remove build flags specifying ISA extensions not in the architectural # baseline from the test fixture setup. @@ -257,6 +259,18 @@ NODE_ENV=test ./node_modules/.bin/mocha \ %changelog ## START: Generated by rpmautospec +* Tue Oct 29 2024 Troy Dawson - 9.1.3-9 +- Bump release for October 2024 mass rebuild: + +* Tue Oct 29 2024 Sergio Correia - 9.1.3-8 +- Backport fix for CVE-2024-27982 + +* Mon Oct 21 2024 Sergio Correia - 9.2.1-1 +- Update to 9.2.1 + +* Thu Oct 17 2024 Patrik Koncity - 9.1.3-8 +- Run llhttp test for gating + * Mon Jun 24 2024 Troy Dawson - 9.1.3-7 - Bump release for June 2024 mass rebuild