From b5a1a67b3c2b20f5d6e78e7e80297e71da4ab74c Mon Sep 17 00:00:00 2001 From: Fabiel Leon Date: Sun, 5 Sep 2021 07:43:49 -0400 Subject: [PATCH] Adding nodejs http.request option: insecureHTTPParser (#2930) Co-authored-by: Jay --- README.md | 10 +++++++++- lib/adapters/http.js | 4 ++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2971f74d02..ce31d5b7ab 100755 --- a/README.md +++ b/README.md @@ -456,7 +456,15 @@ These are the available config options for making requests. Only the `url` is re // automatically. If set to `true` will also remove the 'content-encoding' header // from the responses objects of all decompressed responses // - Node only (XHR cannot turn off decompression) - decompress: true, // default + decompress: true // default + + // `insecureHTTPParser` boolean. + // Indicates where to use an insecure HTTP parser that accepts invalid HTTP headers. + // This may allow interoperability with non-conformant HTTP implementations. + // Using the insecure parser should be avoided. + // see options https://nodejs.org/dist/latest-v12.x/docs/api/http.html#http_http_request_url_options_callback + // see also https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/#strict-http-header-parsing-none + insecureHTTPParser: undefined // default // transitional options for backward compatibility that may be removed in the newer versions transitional: { diff --git a/lib/adapters/http.js b/lib/adapters/http.js index 0cca3bdfbb..1b76f5e0ae 100755 --- a/lib/adapters/http.js +++ b/lib/adapters/http.js @@ -198,6 +198,10 @@ module.exports = function httpAdapter(config) { options.maxBodyLength = config.maxBodyLength; } + if (config.insecureHTTPParser) { + options.insecureHTTPParser = config.insecureHTTPParser; + } + // Create the request var req = transport.request(options, function handleResponse(res) { if (req.aborted) return;