From 255bc945c2bad35c01b65e3351337e30372907b4 Mon Sep 17 00:00:00 2001 From: Bert Belder Date: Thu, 7 Feb 2013 14:39:47 +0100 Subject: [PATCH] http: protect against response splitting attacks This patch is a back-port of 3c293ba. Closes #4696 --- lib/http.js | 5 ++ .../test-http-header-response-splitting.js | 64 +++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 test/simple/test-http-header-response-splitting.js diff --git a/lib/http.js b/lib/http.js index aee579aadf..315a9c6a24 100644 --- a/lib/http.js +++ b/lib/http.js @@ -546,6 +546,11 @@ OutgoingMessage.prototype._storeHeader = function(firstLine, headers) { var self = this; function store(field, value) { + // Protect against response splitting. The if statement is there to + // minimize the performance impact in the common case. + if (/[\r\n]/.test(value)) + value = value.replace(/[\r\n]+[ \t]*/g, ''); + messageHeader += field + ': ' + value + CRLF; if (connectionExpression.test(field)) { diff --git a/test/simple/test-http-header-response-splitting.js b/test/simple/test-http-header-response-splitting.js new file mode 100644 index 0000000000..044618436c --- /dev/null +++ b/test/simple/test-http-header-response-splitting.js @@ -0,0 +1,64 @@ +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +var common = require('../common'), + assert = require('assert'), + http = require('http'); + +var testIndex = 0, + responses = 0; + +var server = http.createServer(function(req, res) { + switch (testIndex++) { + case 0: + res.writeHead(200, { test: 'foo \r\ninvalid: bar' }); + break; + case 1: + res.writeHead(200, { test: 'foo \ninvalid: bar' }); + break; + case 2: + res.writeHead(200, { test: 'foo \rinvalid: bar' }); + break; + case 3: + res.writeHead(200, { test: 'foo \n\n\ninvalid: bar' }); + break; + case 4: + res.writeHead(200, { test: 'foo \r\n \r\n \r\ninvalid: bar' }); + server.close(); + break; + default: + assert(false); + } + res.end('Hi mars!'); +}); +server.listen(common.PORT); + +for (var i = 0; i < 5; i++) { + var req = http.get({ port: common.PORT, path: '/' }, function(res) { + assert.strictEqual(res.headers.test, 'foo invalid: bar'); + assert.strictEqual(res.headers.invalid, undefined); + responses++; + }); +} + +process.on('exit', function() { + assert.strictEqual(responses, 5); +});