http: disable request smuggling via empty headers

PR-URL: nodejs-private/node-private#429 Refs: nodejs-private/node-private#427 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Matteo Collina <[email protected]> CVE-ID: CVE-2023-30589
nodejs · Jun 19, 2023 · e42ff4b · e42ff4b
1 parent 1a5c928
commit e42ff4b
Show file tree

Hide file tree

Showing 5 changed files with 590 additions and 424 deletions.
diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt
@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.5.1)
 cmake_policy(SET CMP0069 NEW)
 
-project(llhttp VERSION 6.0.10)
+project(llhttp VERSION 6.0.11)
 include(GNUInstallDirs)
 
 set(CMAKE_C_STANDARD 99)

diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h
@@ -3,7 +3,7 @@
 
 #define LLHTTP_VERSION_MAJOR 6
 #define LLHTTP_VERSION_MINOR 0
-#define LLHTTP_VERSION_PATCH 10
+#define LLHTTP_VERSION_PATCH 11
 
 #ifndef LLHTTP_STRICT_MODE
 # define LLHTTP_STRICT_MODE 0

diff --git a/deps/llhttp/llhttp.gyp b/deps/llhttp/llhttp.gyp
@@ -1,4 +1,11 @@
 {
+  'variables': {
+    'llhttp_sources': [
+      'src/llhttp.c',
+      'src/api.c',
+      'src/http.c',
+    ]
+  },
   'targets': [
     {
       'target_name': 'llhttp',
@@ -7,7 +14,9 @@
       'direct_dependent_settings': {
         'include_dirs': [ 'include' ],
       },
-      'sources': [ 'src/llhttp.c', 'src/api.c', 'src/http.c' ],
+      'sources': [
+        '<@(llhttp_sources)',
+      ],
     },
   ]
 }