http2: cannot negotiate ALPN besides http/1.1 · nodejs/node#26835

(9 评论) (0 反应) (0 负责人)JavaScript (117,218 star) (35,535 fork)batch import

help wantedhttp2

描述

The documentation for 'unknownProtocol' says this:

The 'unknownProtocol' event is emitted when a connecting client fails to negotiate an allowed protocol (i.e. HTTP/2 or HTTP/1.1). The event handler receives the socket for handling. If no listener is registered for this event, the connection is terminated.

The logic seems wrong though. It only passes through nothing (no protocol negotiated) or http/1.1, everything else is ignored:

https://github.com/nodejs/node/blob/11f8024d992c385d3db196ab64678311bfdabd84/lib/internal/http2/core.js#L2614-L2634

Caveat: if the check is loosened, care should be taken not to introduce an information leak.

For an attacker it should not be possible to deduce whether the server has { allowHTTP1: true } and an 'unknownProtocol' listener installed by sending messages with the ALPN proto set to http/1.1 and e.g. hax/13.37, and then comparing the responses he gets back.

贡献者指南

技术栈: javascriptnodejs
领域: backendsecurity
议题类型: bug
难度: 3
预计时间: 1-3 hours
活动状态: stale
清晰度: clear
前置要求: basic understanding of HTTP/2 ALPNfamiliarity with Node.js http2 module
新手友好度: 40
研究方向: Investigate the ALPN negotiation logic in lib/internal/http2/core.js at lines 2614-2634. The issue highlights that only http/1.1 is allowed, but other protocols should be passed to the 'unknownProtocol' event. Ensure any fix does not leak information about server configuration, e.g., by not distinguishing between 'http/1.1' and unknown protocols. Consider adding tests for various ALPN strings.