nodejs
diff --git a/Collapse file
‎doc/api/cli.md‎
Copy file name to clipboardExpand all lines: doc/api/cli.md
+11Lines changed: 11 additions & 0 deletions
Display the source diff
Display the rich diff b/Collapse file
‎doc/api/cli.md‎
Copy file name to clipboardExpand all lines: doc/api/cli.md
+11Lines changed: 11 additions & 0 deletions
Display the source diff
Display the rich diff
diff --git a/Collapse file
‎doc/node.1‎
Copy file name to clipboardExpand all lines: doc/node.1
+6Lines changed: 6 additions & 0 deletions b/Collapse file
‎doc/node.1‎
Copy file name to clipboardExpand all lines: doc/node.1
+6Lines changed: 6 additions & 0 deletions
diff --git a/Collapse file
‎lib/_http_client.js‎
Copy file name to clipboardExpand all lines: lib/_http_client.js
+3-1Lines changed: 3 additions & 1 deletion b/Collapse file
‎lib/_http_client.js‎
Copy file name to clipboardExpand all lines: lib/_http_client.js
+3-1Lines changed: 3 additions & 1 deletion
diff --git a/Collapse file
‎lib/_http_common.js‎
Copy file name to clipboardExpand all lines: lib/_http_common.js
+12Lines changed: 12 additions & 0 deletions b/Collapse file
‎lib/_http_common.js‎
Copy file name to clipboardExpand all lines: lib/_http_common.js
+12Lines changed: 12 additions & 0 deletions
diff --git a/Collapse file
‎lib/_http_server.js‎
Copy file name to clipboardExpand all lines: lib/_http_server.js
+3-1Lines changed: 3 additions & 1 deletion b/Collapse file
‎lib/_http_server.js‎
Copy file name to clipboardExpand all lines: lib/_http_server.js
+3-1Lines changed: 3 additions & 1 deletion
diff --git a/Collapse file
‎src/node_http_parser_impl.h‎
Copy file name to clipboardExpand all lines: src/node_http_parser_impl.h
+5-2Lines changed: 5 additions & 2 deletions b/Collapse file
‎src/node_http_parser_impl.h‎
Copy file name to clipboardExpand all lines: src/node_http_parser_impl.h
+5-2Lines changed: 5 additions & 2 deletions
diff --git a/Collapse file
‎src/node_options.cc‎
Copy file name to clipboardExpand all lines: src/node_options.cc
+4Lines changed: 4 additions & 0 deletions b/Collapse file
‎src/node_options.cc‎
Copy file name to clipboardExpand all lines: src/node_options.cc
+4Lines changed: 4 additions & 0 deletions
diff --git a/Collapse file
‎src/node_options.h‎
Copy file name to clipboardExpand all lines: src/node_options.h
+2Lines changed: 2 additions & 0 deletions b/Collapse file
‎src/node_options.h‎
Copy file name to clipboardExpand all lines: src/node_options.h
+2Lines changed: 2 additions & 0 deletions
@@ -431,6 +431,16 @@ added: v9.0.0
 Specify the `module` of a custom [experimental ECMAScript Module][] loader.
 `module` may be either a path to a file, or an ECMAScript Module name.
 
+### `--insecure-http-parser`
+<!-- YAML
+added: REPLACEME
+-->
+
+Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow
+interoperability with non-conformant HTTP implementations. It may also allow
+request smuggling and other HTTP attacks that rely on invalid headers being
+accepted. Avoid using this option.
+
 ### `--max-http-header-size=size`
 <!-- YAML
 added: v11.6.0
@@ -1099,6 +1109,7 @@ Node.js options that are allowed are:
 * `--http-server-default-timeout`
 * `--icu-data-dir`
 * `--input-type`
+* `--insecure-http-parser`
 * `--inspect-brk`
 * `--inspect-port`, `--debug-port`
 * `--inspect-publish-uid`
 
@@ -232,6 +232,12 @@ Specify the
 as a custom loader, to load
 .Fl -experimental-modules .
 .
+.It Fl -insecure-http-parser
+Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow
+interoperability with non-conformant HTTP implementations. It may also allow
+request smuggling and other HTTP attacks that rely on invalid headers being
+accepted. Avoid using this option.
+.
 .It Fl -max-http-header-size Ns = Ns Ar size
 Specify the maximum size of HTTP headers in bytes. Defaults to 8KB.
 .
 
@@ -32,6 +32,7 @@ const {
   freeParser,
   parsers,
   HTTPParser,
+  isLenient,
   prepareError,
 } = require('_http_common');
 const { OutgoingMessage } = require('_http_outgoing');
@@ -655,7 +656,8 @@ function tickOnSocket(req, socket) {
   req.socket = socket;
   req.connection = socket;
   parser.initialize(HTTPParser.RESPONSE,
-                    new HTTPClientAsyncResource('HTTPINCOMINGMESSAGE', req));
+                    new HTTPClientAsyncResource('HTTPINCOMINGMESSAGE', req),
+                    isLenient());
   parser.socket = socket;
   parser.outgoing = req;
   req.parser = parser;
 
@@ -29,6 +29,7 @@ const { getOptionValue } = require('internal/options');
 const { methods, HTTPParser } =
   getOptionValue('--http-parser') === 'legacy' ?
     internalBinding('http_parser') : internalBinding('http_parser_llhttp');
+const insecureHTTPParser = getOptionValue('--insecure-http-parser');
 
 const FreeList = require('internal/freelist');
 const incoming = require('_http_incoming');
@@ -238,6 +239,16 @@ function prepareError(err, parser, rawPacket) {
     err.message = `Parse Error: ${err.reason}`;
 }
 
+let warnedLenient = false;
+
+function isLenient() {
+  if (insecureHTTPParser && !warnedLenient) {
+    warnedLenient = true;
+    process.emitWarning('Using insecure HTTP parsing');
+  }
+  return insecureHTTPParser;
+}
+
 module.exports = {
   _checkInvalidHeaderChar: checkInvalidHeaderChar,
   _checkIsHttpToken: checkIsHttpToken,
@@ -250,5 +261,6 @@ module.exports = {
   parsers,
   kIncomingMessage,
   HTTPParser,
+  isLenient,
   prepareError,
 };
@@ -39,6 +39,7 @@ const {
   chunkExpression,
   kIncomingMessage,
   HTTPParser,
+  isLenient,
   _checkInvalidHeaderChar: checkInvalidHeaderChar,
   prepareError,
 } = require('_http_common');
@@ -385,7 +386,8 @@ function connectionListenerInternal(server, socket) {
   // https://github.com/nodejs/node/pull/21313
   parser.initialize(
     HTTPParser.REQUEST,
-    new HTTPServerAsyncResource('HTTPINCOMINGMESSAGE', socket)
+    new HTTPServerAsyncResource('HTTPINCOMINGMESSAGE', socket),
+    isLenient(),
   );
   parser.socket = socket;
 
 
@@ -501,6 +501,7 @@ class Parser : public AsyncWrap, public StreamListener {
 
   static void Initialize(const FunctionCallbackInfo<Value>& args) {
     Environment* env = Environment::GetCurrent(args);
+    bool lenient = args[2]->IsTrue();
 
     CHECK(args[0]->IsInt32());
     CHECK(args[1]->IsObject());
@@ -521,7 +522,7 @@ class Parser : public AsyncWrap, public StreamListener {
 
     parser->set_provider_type(provider);
     parser->AsyncReset(args[1].As<Object>());
-    parser->Init(type);
+    parser->Init(type, lenient);
   }
 
   template <bool should_pause>
@@ -805,12 +806,14 @@ class Parser : public AsyncWrap, public StreamListener {
   }
 
 
-  void Init(parser_type_t type) {
+  void Init(parser_type_t type, bool lenient) {
 #ifdef NODE_EXPERIMENTAL_HTTP
     llhttp_init(&parser_, type, &settings);
+    llhttp_set_lenient(&parser_, lenient);
     header_nread_ = 0;
 #else  /* !NODE_EXPERIMENTAL_HTTP */
     http_parser_init(&parser_, type);
+    parser_.lenient_http_headers = lenient;
 #endif  /* NODE_EXPERIMENTAL_HTTP */
     url_.Reset();
     status_message_.Reset();
 
@@ -416,6 +416,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             "(default: 120000)",
             &EnvironmentOptions::http_server_default_timeout,
             kAllowedInEnvironment);
+  AddOption("--insecure-http-parser",
+            "Use an insecure HTTP parser that accepts invalid HTTP headers",
+            &EnvironmentOptions::insecure_http_parser,
+            kAllowedInEnvironment);
   AddOption("--input-type",
             "set module type for string input",
             &EnvironmentOptions::module_type,
 
@@ -159,6 +159,8 @@ class EnvironmentOptions : public Options {
   bool print_eval = false;
   bool force_repl = false;
 
+  bool insecure_http_parser = false;
+
   bool tls_min_v1_0 = false;
   bool tls_min_v1_1 = false;
   bool tls_min_v1_2 = false;
Original file line number	Diff line number	Diff line change
`@@ -232,6 +232,12 @@ Specify the`
`232`	`232`	`as a custom loader, to load`
`233`	`233`	`.Fl -experimental-modules .`
`234`	`234`	`.`
	`235`	`+.It Fl -insecure-http-parser`
	`236`	`+Use an insecure HTTP parser that accepts invalid HTTP headers. This may allow`
	`237`	`+interoperability with non-conformant HTTP implementations. It may also allow`
	`238`	`+request smuggling and other HTTP attacks that rely on invalid headers being`
	`239`	`+accepted. Avoid using this option.`
	`240`	`+.`
`235`	`241`	`.It Fl -max-http-header-size Ns = Ns Ar size`
`236`	`242`	`Specify the maximum size of HTTP headers in bytes. Defaults to 8KB.`
`237`	`243`	`.`