mirrors/nodejs
mirrors/nodejs
0
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-12-01 16:10:02 +01:00
Code Issues Releases Activity
2e1b41a708
nodejs/lib
History
Fedor Indutny 2e1b41a708
tls: emit session after verifying certificate 
Prior to this patch `session` event was emitted after `secure` event on
TLSSocket, but before `secureConnect` event. This is problematic for
`https.Agent` because it must cache session only after verifying the
remote peer's certificate.

Connecting to a server that presents an invalid certificate resulted
in the session being cached after the handshake with the server and
evicted right after a certifiate validation error and socket's
destruction. A request initiated during this narrow window would pick
the faulty session, send it to the malicious server and skip the
verification of the server's certificate.

Fixes: https://hackerone.com/reports/811502
CVE-ID: CVE-2020-8172
PR-URL: https://github.com/nodejs-private/node-private/pull/200
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
2020-06-02 20:35:51 +02:00
..
dns dns: add dns/promises alias 2020-05-24 03:26:21 +02:00
fs fs: add fs/promises alias module 2020-02-18 22:15:50 -08:00
internal http2: implement support for max settings entries 2020-06-02 20:35:51 +02:00
_http_agent.js lib: improve debuglog() performance 2020-05-30 17:24:43 -04:00
_http_client.js http: don't destroy completed request 2020-05-11 18:02:32 +02:00
_http_common.js lib: improve debuglog() performance 2020-05-30 17:24:43 -04:00
_http_incoming.js tools: enable no-else-return lint rule 2020-05-16 06:42:16 +02:00
_http_outgoing.js http: tidy up exposure of header validation 2020-05-25 19:21:57 +02:00
_http_server.js http: fixed socket.setEncoding fatal error 2020-05-23 21:29:49 +02:00
_stream_duplex.js stream: forward writableObjectMode 2020-05-19 00:02:32 +02:00
_stream_passthrough.js
_stream_readable.js lib: improve debuglog() performance 2020-05-30 17:24:43 -04:00
_stream_transform.js stream: fix _final and 'prefinish' timing 2020-04-22 09:40:03 +02:00
_stream_wrap.js
_stream_writable.js stream: construct 2020-05-27 10:24:05 +02:00
_tls_common.js
_tls_wrap.js tls: emit session after verifying certificate 2020-06-02 20:35:51 +02:00
.eslintrc.yaml lib: add Int16Array primordials 2020-06-02 15:38:59 +02:00
assert.js assert: port common.mustCall() to assert 2020-04-23 10:11:47 -07:00
async_hooks.js async_hooks: move PromiseHook handler to JS 2020-05-09 07:52:22 +02:00
buffer.js buffer: remove hoisted variable 2020-05-23 20:47:02 +02:00
child_process.js lib: improve debuglog() performance 2020-05-30 17:24:43 -04:00
cluster.js
console.js
constants.js
crypto.js tls: provide default cipher list from command line 2020-04-13 18:48:23 +02:00
dgram.js lib: move isLegalPort to validators, refactor 2020-03-05 11:52:53 -08:00
dns.js tools: enable no-else-return lint rule 2020-05-16 06:42:16 +02:00
domain.js
events.js events: variable originalListener is useless 2020-05-30 10:22:00 -07:00
fs.js fs: support util.promisify for fs.readv 2020-05-30 10:17:31 -07:00
http2.js
http.js http: tidy up exposure of header validation 2020-05-25 19:21:57 +02:00
https.js lib: improve debuglog() performance 2020-05-30 17:24:43 -04:00
inspector.js inspector: throw error when activating an already active inspector 2020-05-24 03:43:05 +02:00
module.js
net.js net: remove long deprecated server.connections property 2020-06-01 08:38:00 -07:00
os.js src: create a getter for kernel version 2020-03-09 12:44:16 +01:00
path.js path: fix comment grammar 2020-04-28 19:10:26 +02:00
perf_hooks.js perf_hooks: fix error message for invalid entryTypes 2020-05-10 13:53:15 +02:00
process.js
punycode.js
querystring.js
readline.js lib: update TODO comments 2020-05-20 17:05:06 +02:00
repl.js lib: improve debuglog() performance 2020-05-30 17:24:43 -04:00
stream.js
string_decoder.js
sys.js
timers.js lib: improve debuglog() performance 2020-05-30 17:24:43 -04:00
tls.js tls: provide default cipher list from command line 2020-04-13 18:48:23 +02:00
trace_events.js
tty.js
url.js
util.js
v8.js tools: enable no-else-return lint rule 2020-05-16 06:42:16 +02:00
vm.js tools: enable no-else-return lint rule 2020-05-16 06:42:16 +02:00
wasi.js wasi: allow WASI stdio to be configured 2020-05-30 04:28:02 +02:00
worker_threads.js
zlib.js tools: enable no-else-return lint rule 2020-05-16 06:42:16 +02:00