kotovalexarian-likes-github/puma--puma
1
0
Fork 0
mirror of https://github.com/puma/puma.git synced 2022-11-09 13:48:40 -05:00
Code Releases Activity

Added the ability to put new handlers before other handlers in the handler chain for a uri.

Browse source 
git-svn-id: svn+ssh://rubyforge.org/var/svn/mongrel/trunk@144 19e92222-5c0b-0410-8929-a290d50e31e9
This commit is contained in:
zedshaw 2006-04-04 05:24:55 +00:00
parent 08b5169a10
commit d649d856eb
6 changed files with 166 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
doc/site/src/default.template
View file

@ -47,6 +47,19 @@
<dl> <dl>
<dt>Apr-3-2006</dt>
<dd>
<h5><a href="{relocatable: news.html}">Mongrel 0.3.12.1 -- Iron Mongrel</a></h5>
<p>This release is the result of pounding the crap out of Mongrel since the
last release to make it more robust in the face of really bad traffic. It is
pretty ruthless so people should test and report if it's too ruthless.</p>
<a href="http://rubyforge.org/frs/?group_id=1306" title="Downloads">Download</a>
<a href="{relocatable: news.html}"><img src="{relocatable: images/li4.gif}" alt="more" /><br /></a></p>
</dd>
<dt>Mar-30-2006</dt> <dt>Mar-30-2006</dt>
<dd> <dd>
<h5><a href="{relocatable: news.html}">Mongrel 0.3.12 -- Pre-Release</a></h5> <h5><a href="{relocatable: news.html}">Mongrel 0.3.12 -- Pre-Release</a></h5>
@ -54,6 +67,7 @@
<p>The official 0.3.12 release of Mongrel is here. This release is hot, but test test test. <p>The official 0.3.12 release of Mongrel is here. This release is hot, but test test test.
Should support Rails 1.1 and has lots of debugging and tweaks.</p> Should support Rails 1.1 and has lots of debugging and tweaks.</p>
<a href="http://rubyforge.org/frs/?group_id=1306" title="Downloads">Download</a>
<a href="{relocatable: news.html}"><img src="{relocatable: images/li4.gif}" alt="more" /><br /></a></p> <a href="{relocatable: news.html}"><img src="{relocatable: images/li4.gif}" alt="more" /><br /></a></p>
</dd> </dd>
@ -138,15 +152,6 @@
<a href="{relocatable: news.html}"><img src="{relocatable: images/li4.gif}" alt="more" /><br /></a></p> <a href="{relocatable: news.html}"><img src="{relocatable: images/li4.gif}" alt="more" /><br /></a></p>
</dd> </dd>
<dt>Feb-18-2006</dt>
<dd>
<h5><a href="{relocatable: news.html}">Mongrel 0.3.5 -- CGI Fixed</a></h5>
<p>A complete rewrite of the CGIWrapper that actually works.</p>
<a href="http://rubyforge.org/frs/?group_id=1306" title="Downloads">Download</a>
<a href="{relocatable: news.html}"><img src="{relocatable: images/li4.gif}" alt="more" /><br /></a></p>
</dd>
</dl> </dl>
</div> </div>
<hr noshade="noshade" size="1" /> <hr noshade="noshade" size="1" />

BIN
doc/site/src/images/iron_mongrel.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
doc/site/src/images/spaceball.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 43 B

48
doc/site/src/news.page
View file

@ -7,6 +7,54 @@ ordering: 2
h1. Latest News h1. Latest News
h2. Apr-3: Mongrel 0.3.12.1 -- Iron Mongrel
!/images/iron_mongrel.jpg!
This is the Iron Mongrel release. It is the result of trying to trash Mongrel
until it can't move and then fixing anything that comes up. The testing
methods used are:
# Increased the number of unit tests against the main C parts.
# Write several tests against Mongrel's parser which throw it tons of random data.
# Use "Peach Fuzz":http://peachfuzz.sourceforge.net/ to thrash several live apps with randomness.
# Wrote several extensive little scripts to explore the edges of death for Mongrel.
# Heavy code audits covering as much code as possible to find any possible loose ends.
The end result is a lot of little fixes which make Mongrel more robust against
badly behaving clients and possibly against many potential security risks in
the future. In general Mongrel 0.3.12.1 behaves more consistently compared
to past releases when given random data or maliciously formatted data.
The main changes are related to how IO is processed and how the HTTP parser rejects
"bad" input. What the parser now blocks is:
* Any header over 112k.
* Any query string over 10k.
* Any header field value over 80k.
* Any header field name over 256 bytes.
* Any request URI greater than 512 bytes.
As soon as these conditions are detected the client is disconnected immediately and a
log message is printed out listing the IP address, the exact cause, and the data that caused it. I'll
remove the data dump later, but I want people to shoot me valid requests that cause parser
errors.
That's not all though. I've started a "security":security.html page where I'll publish
the results of security threats, tests, and improvements as well as any advice for
folks.
This release also features a few little features here and there:
* Initial support for a "config script". I'll be documenting this more, but it basically lets you use the Mongrel::RailsConfigurator to augment your application's config via a small script. Just pass "-S config/mongrel.rb" and put any Mongrel::RailsConfigurator statements that are reasonable.
* Mongrel will report the correct REMOTE_ADDR variable, but it does a little trick where if there
is an X-FORWARDED-FOR header then it sets REMOTE_ADDR to that.
* Fixes for little bugs like double log messages, but not a lot of changes to the overall core.
Go ahead and install the usual way: gem install mongrel *or* gem upgrade
The logo is courtesy court3nay from irc.freenode.org.
h2. Mar-30: Mongrel 0.3.12 -- OFFICIAL Release h2. Mar-30: Mongrel 0.3.12 -- OFFICIAL Release
This is the long awaited (like 2 weeks) 0.3.12 release of Mongrel. This release This is the long awaited (like 2 weeks) 0.3.12 release of Mongrel. This release

95
doc/site/src/security.page Normal file
View file

@ -0,0 +1,95 @@
---
title: News
inMenu: true
directoryName: News
ordering: 2
---
!/images/iron_mongrel.jpg!
h1. Iron Mongrel Security
This is where I'll be putting security tests, alerts, and advice for people
running Mongrel. I test Mongrel fairly heavily using the following techniques:
# Unit testing what I can. Mongrel is a server so many tests have to be done "live".
# Thrashing Mongrel's HTTP parser internally with random or near-random data (called fuzzing).
# Using "Peach Fuzz":http://peachfuzz.sourceforge.net/ to thrash several live apps with randomness.
# Running several extensive little scripts to explore the edges of death for Mongrel.
# Heavy code audits covering as much code as possible to find any possible loose ends.
The end result is a lot of little fixes which make Mongrel more robust against
badly behaving clients and possibly against many potential security risks in
the future.
h2. Mongrels HTTP Restrictions
Many of the exploits out there currently for web servers tend to expoit
either ambiguous areas of the HTTP grammar, or the lack of size specifications
in the protocol. To protect against this Mongrel uses a fairly strict parser,
but since many browser authors don't read specifications (and hell, who'd want
to read the mountain of HTTP specifications out there), it can't be too
strict. What it does enforce--apart from well formed headers and request lines--is
the following size restrictions on each part:
* Any header over 112k.
* Any query string over 10k.
* Any header field value over 80k.
* Any header field name over 256 bytes.
* Any request URI greater than 512 bytes.
The large header size and field value is due to cookies being allowed to be so massive.
It's not too clear whether a browser is allowed to cram all 20 of the 4k cookies
into one cookie header, or if it should use multiple, but the end result is that
a web server has to parser at least 112k of garbage before it can declare a client
malicious.
Now, when I say Mongrel is strict, I don't mean that it will abort on any
minor little error according to the HTTP 1.1 RFC. Mongrel's parser is
pretty forgiving on formats. Where Mongrel is exact is--as mentioned
before--in it's treatment of sizes and boundary characters. Clients that
can't even get that right aren't following the most basic safety elements
of HTTP and you probably shouldn't deal with them.
h2. Quiet Things Happens To Bad People
Rather than wasting any more time--and in order to not give out any
information to potentially malicious attackers--Mongrel just closes
the socket immediately. This may confuse good people, but it's the
best way to deal with bad requests.
The assumption is that either the requesting client is not functioning
correctly or it's attempting an attack. If it's not functioning correctly
then what's the point of sending back any results? It probably can't
parse them anyway. If it's an attacker then why give them any more
information?
Caught in the middle are people who are using a poorly written client.
I'd suggest in those cases that they report the problem to the client's
authors or contact me to see if it's an error on Mongrel's part.
h2. Protocol Error Reporting
The 0.3.12.1 release was the first Iron Mongrel release, but it isn't perfect
for sure. To make sure that it doesn't prevent people from making tons of
money the 0.3.12.1 release will report what data caused the parser to fail.
If you see a legit request that causes the parser to choke then send it to
me and I'll take a look.
In general though, if you are getting bad requests they are probably intentionally
malicious. The nice thing about Mongrel's parser is that the detection of
bad requests isn't based on pattern detection, but rather on just making the
HTTP protocol more strict to where bad requests get kicked out early.
h2. Reporting Security Problems
If you think you've found a security problem with Mongrel, please
report it to me right away at *zedshaw at zedshaw do com*. I'm usually
very responsive and will probably help even if the security problem is
outside of Mongrel or if you need help securing your system.

12
lib/mongrel.rb
View file

@ -524,14 +524,20 @@ module Mongrel
# Simply registers a handler with the internal URIClassifier. When the URI is # Simply registers a handler with the internal URIClassifier. When the URI is
# found in the prefix of a request then your handler's HttpHandler::process method # found in the prefix of a request then your handler's HttpHandler::process method
# is called. See Mongrel::URIClassifier#register for more information. # is called. See Mongrel::URIClassifier#register for more information.
def register(uri, handler) #
# If you set in_front=true then the passed in handler will be put in front in the list.
def register(uri, handler, in_front=false)
script_name, path_info, handlers = @classifier.resolve(uri) script_name, path_info, handlers = @classifier.resolve(uri)
if not handlers if not handlers
@classifier.register(uri, [handler]) @classifier.register(uri, [handler])
else else
if path_info.length == 0 or (script_name == Const::SLASH and path_info == Const::SLASH) if path_info.length == 0 or (script_name == Const::SLASH and path_info == Const::SLASH)
handlers << handler if in_front
handlers.unshift(handler)
else
handlers << handler
end
else else
@classifier.register(uri, [handler]) @classifier.register(uri, [handler])
end end
@ -662,7 +668,7 @@ module Mongrel
# * :handler => Handler to use for this location. # * :handler => Handler to use for this location.
def uri(location, options={}) def uri(location, options={})
ops = resolve_defaults(options) ops = resolve_defaults(options)
@listener.register(location, ops[:handler]) @listener.register(location, ops[:handler], in_front=ops[:in_front])
end end