NULL byte in request path kills server

[vvanpo]

Version 0.11.1.

[Mon Feb 04 2019 09:30:16 GMT-0800 (Pacific Standard Time)] "GET /<...>%00" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"                                                                         
internal/fs/utils.js:453
    throw err;
    ^

TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string or Uint8Array without null bytes. Received '<...>\u0000'                                                
    at Object.stat (fs.js:821:3)
    at statFile (<...>/yarn/global/node_modules/ecstatic/lib/ecstatic.js:350:10)
    at Array.middleware (<...>/yarn/global/node_modules/ecstatic/lib/ecstatic.js:459:7)
    at dispatch (<...>/yarn/global/node_modules/union/lib/routing-stream.js:110:21)
    at Object.onceWrapper (events.js:273:13)
    at module.exports.emit (events.js:182:13)
    at Array.<anonymous> (<...>/yarn/global/node_modules/http-server/lib/http-server.js:66:9)
    at dispatch (<...>/yarn/global/node_modules/union/lib/routing-stream.js:119:21)
    at module.exports.RoutingStream.route (<...>/yarn/global/node_modules/union/lib/routing-stream.js:121:5)
    at Object.onceWrapper (events.js:273:13)

It seems that external requests can kill the server if it passes NULL bytes in the request path.

[thornjad]

Hm thats not good. Obviously the null byte isn't a valid path character, but a it would be better not to crash. I can dig in some later this week.

[thornjad]

I looked into this a bit and it looks like Node made a change in how null bytes in paths are handled, and it broke our own handling of it. Ill look into patching that up.

[github-actions]

This issue has been inactive for 180 days

[thornjad]

Looks like this patch by @Xmader in extatic may help with this node-extatic/extatic@0c08c0f, the same changes can be made in http-server's lib/core/index.js