diff --git a/doc/site/src/default.template b/doc/site/src/default.template index a96ffe0f..2c320287 100644 --- a/doc/site/src/default.template +++ b/doc/site/src/default.template @@ -47,6 +47,19 @@
+
Apr-3-2006
+
+
Mongrel 0.3.12.1 -- Iron Mongrel
+ +

This release is the result of pounding the crap out of Mongrel since the + last release to make it more robust in the face of really bad traffic. It is + pretty ruthless so people should test and report if it's too ruthless.

+ + Download + more

+
+ +
Mar-30-2006
Mongrel 0.3.12 -- Pre-Release
@@ -54,6 +67,7 @@

The official 0.3.12 release of Mongrel is here. This release is hot, but test test test. Should support Rails 1.1 and has lots of debugging and tweaks.

+ Download more

@@ -138,15 +152,6 @@ more

-
Feb-18-2006
-
-
Mongrel 0.3.5 -- CGI Fixed
- -

A complete rewrite of the CGIWrapper that actually works.

- Download - more

-
-
diff --git a/doc/site/src/images/iron_mongrel.jpg b/doc/site/src/images/iron_mongrel.jpg new file mode 100644 index 00000000..a1d9b6b9 Binary files /dev/null and b/doc/site/src/images/iron_mongrel.jpg differ diff --git a/doc/site/src/images/spaceball.gif b/doc/site/src/images/spaceball.gif deleted file mode 100644 index 35d42e80..00000000 Binary files a/doc/site/src/images/spaceball.gif and /dev/null differ diff --git a/doc/site/src/news.page b/doc/site/src/news.page index 956dacd9..b6523a3b 100644 --- a/doc/site/src/news.page +++ b/doc/site/src/news.page @@ -7,6 +7,54 @@ ordering: 2 h1. Latest News +h2. Apr-3: Mongrel 0.3.12.1 -- Iron Mongrel + +!/images/iron_mongrel.jpg! + +This is the Iron Mongrel release. It is the result of trying to trash Mongrel +until it can't move and then fixing anything that comes up. The testing +methods used are: + +# Increased the number of unit tests against the main C parts. +# Write several tests against Mongrel's parser which throw it tons of random data. +# Use "Peach Fuzz":http://peachfuzz.sourceforge.net/ to thrash several live apps with randomness. +# Wrote several extensive little scripts to explore the edges of death for Mongrel. +# Heavy code audits covering as much code as possible to find any possible loose ends. + +The end result is a lot of little fixes which make Mongrel more robust against +badly behaving clients and possibly against many potential security risks in +the future. In general Mongrel 0.3.12.1 behaves more consistently compared +to past releases when given random data or maliciously formatted data. + +The main changes are related to how IO is processed and how the HTTP parser rejects +"bad" input. What the parser now blocks is: + +* Any header over 112k. +* Any query string over 10k. +* Any header field value over 80k. +* Any header field name over 256 bytes. +* Any request URI greater than 512 bytes. + +As soon as these conditions are detected the client is disconnected immediately and a +log message is printed out listing the IP address, the exact cause, and the data that caused it. I'll +remove the data dump later, but I want people to shoot me valid requests that cause parser +errors. + +That's not all though. I've started a "security":security.html page where I'll publish +the results of security threats, tests, and improvements as well as any advice for +folks. + +This release also features a few little features here and there: + +* Initial support for a "config script". I'll be documenting this more, but it basically lets you use the Mongrel::RailsConfigurator to augment your application's config via a small script. Just pass "-S config/mongrel.rb" and put any Mongrel::RailsConfigurator statements that are reasonable. +* Mongrel will report the correct REMOTE_ADDR variable, but it does a little trick where if there +is an X-FORWARDED-FOR header then it sets REMOTE_ADDR to that. +* Fixes for little bugs like double log messages, but not a lot of changes to the overall core. + +Go ahead and install the usual way: gem install mongrel *or* gem upgrade + +The logo is courtesy court3nay from irc.freenode.org. + h2. Mar-30: Mongrel 0.3.12 -- OFFICIAL Release This is the long awaited (like 2 weeks) 0.3.12 release of Mongrel. This release diff --git a/doc/site/src/security.page b/doc/site/src/security.page new file mode 100644 index 00000000..c713e9ca --- /dev/null +++ b/doc/site/src/security.page @@ -0,0 +1,95 @@ +--- +title: News +inMenu: true +directoryName: News +ordering: 2 +--- + +!/images/iron_mongrel.jpg! + +h1. Iron Mongrel Security + +This is where I'll be putting security tests, alerts, and advice for people +running Mongrel. I test Mongrel fairly heavily using the following techniques: + +# Unit testing what I can. Mongrel is a server so many tests have to be done "live". +# Thrashing Mongrel's HTTP parser internally with random or near-random data (called fuzzing). +# Using "Peach Fuzz":http://peachfuzz.sourceforge.net/ to thrash several live apps with randomness. +# Running several extensive little scripts to explore the edges of death for Mongrel. +# Heavy code audits covering as much code as possible to find any possible loose ends. + +The end result is a lot of little fixes which make Mongrel more robust against +badly behaving clients and possibly against many potential security risks in +the future. + + +h2. Mongrels HTTP Restrictions + +Many of the exploits out there currently for web servers tend to expoit +either ambiguous areas of the HTTP grammar, or the lack of size specifications +in the protocol. To protect against this Mongrel uses a fairly strict parser, +but since many browser authors don't read specifications (and hell, who'd want +to read the mountain of HTTP specifications out there), it can't be too +strict. What it does enforce--apart from well formed headers and request lines--is +the following size restrictions on each part: + +* Any header over 112k. +* Any query string over 10k. +* Any header field value over 80k. +* Any header field name over 256 bytes. +* Any request URI greater than 512 bytes. + +The large header size and field value is due to cookies being allowed to be so massive. +It's not too clear whether a browser is allowed to cram all 20 of the 4k cookies +into one cookie header, or if it should use multiple, but the end result is that +a web server has to parser at least 112k of garbage before it can declare a client +malicious. + +Now, when I say Mongrel is strict, I don't mean that it will abort on any +minor little error according to the HTTP 1.1 RFC. Mongrel's parser is +pretty forgiving on formats. Where Mongrel is exact is--as mentioned +before--in it's treatment of sizes and boundary characters. Clients that +can't even get that right aren't following the most basic safety elements +of HTTP and you probably shouldn't deal with them. + + +h2. Quiet Things Happens To Bad People + +Rather than wasting any more time--and in order to not give out any +information to potentially malicious attackers--Mongrel just closes +the socket immediately. This may confuse good people, but it's the +best way to deal with bad requests. + +The assumption is that either the requesting client is not functioning +correctly or it's attempting an attack. If it's not functioning correctly +then what's the point of sending back any results? It probably can't +parse them anyway. If it's an attacker then why give them any more +information? + +Caught in the middle are people who are using a poorly written client. +I'd suggest in those cases that they report the problem to the client's +authors or contact me to see if it's an error on Mongrel's part. + + +h2. Protocol Error Reporting + +The 0.3.12.1 release was the first Iron Mongrel release, but it isn't perfect +for sure. To make sure that it doesn't prevent people from making tons of +money the 0.3.12.1 release will report what data caused the parser to fail. +If you see a legit request that causes the parser to choke then send it to +me and I'll take a look. + +In general though, if you are getting bad requests they are probably intentionally +malicious. The nice thing about Mongrel's parser is that the detection of +bad requests isn't based on pattern detection, but rather on just making the +HTTP protocol more strict to where bad requests get kicked out early. + + +h2. Reporting Security Problems + +If you think you've found a security problem with Mongrel, please +report it to me right away at *zedshaw at zedshaw do com*. I'm usually +very responsive and will probably help even if the security problem is +outside of Mongrel or if you need help securing your system. + + diff --git a/lib/mongrel.rb b/lib/mongrel.rb index 7832ea2a..78aad73a 100644 --- a/lib/mongrel.rb +++ b/lib/mongrel.rb @@ -524,14 +524,20 @@ module Mongrel # Simply registers a handler with the internal URIClassifier. When the URI is # found in the prefix of a request then your handler's HttpHandler::process method # is called. See Mongrel::URIClassifier#register for more information. - def register(uri, handler) + # + # If you set in_front=true then the passed in handler will be put in front in the list. + def register(uri, handler, in_front=false) script_name, path_info, handlers = @classifier.resolve(uri) if not handlers @classifier.register(uri, [handler]) else if path_info.length == 0 or (script_name == Const::SLASH and path_info == Const::SLASH) - handlers << handler + if in_front + handlers.unshift(handler) + else + handlers << handler + end else @classifier.register(uri, [handler]) end @@ -662,7 +668,7 @@ module Mongrel # * :handler => Handler to use for this location. def uri(location, options={}) ops = resolve_defaults(options) - @listener.register(location, ops[:handler]) + @listener.register(location, ops[:handler], in_front=ops[:in_front]) end