Métriques du dépôt
- Stars
- (117 218 stars)
- Métriques de merge PR
- (Merge moyen 18j 17h) (219 PRs mergées en 30 j)
Description
The documentation for 'unknownProtocol' says this:
The
'unknownProtocol'event is emitted when a connecting client fails to negotiate an allowed protocol (i.e. HTTP/2 or HTTP/1.1). The event handler receives the socket for handling. If no listener is registered for this event, the connection is terminated.
The logic seems wrong though. It only passes through nothing (no protocol negotiated) or http/1.1, everything else is ignored:
Caveat: if the check is loosened, care should be taken not to introduce an information leak.
For an attacker it should not be possible to deduce whether the server has { allowHTTP1: true } and an 'unknownProtocol' listener installed by sending messages with the ALPN proto set to http/1.1 and e.g. hax/13.37, and then comparing the responses he gets back.