iodine 0.7.29 → 0.7.31

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of iodine might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e99acc46ab75628917f405a1ef7aa08c38434f03b0210b2fd1300ddbf4cf5874
4
- data.tar.gz: 05a8b2b8bcddebcb85f61257e9ab9aa762a72afba0f7b4dc569e32d1a97ebeb6
3
+ metadata.gz: 4333832730c27a0b0f866df2eded6d5afc707d747cec5b4e56f5303252b27b42
4
+ data.tar.gz: 6eb945b021821b45fb2db140f268c7c4e6910d6ce1ad18b14425eaec491ea677
5
5
  SHA512:
6
- metadata.gz: bb038db0614b5c2bbda474c3c5ce25ba14ec0e70990ef799532754340842cec8aec44e52c8b3d93eec76a5d10e055948c0f3d8a5ee9eee92bf18449b8ef49f60
7
- data.tar.gz: d5c078cf9d5a30d2f35c34935bb24a556c65680642c269544730cc420971de12eb90b8497303b4dfd6d971e8d9b22399a37bb21b85d804fecdf49f922b123772
6
+ metadata.gz: 24e5b2c190e6ee10777dcc1d7acaba00913c978bdb35a7a43b743ff62a7b344837797cb131ed3c88ac464919e80779fb16058e32b3fac6c95e11fdb9c6a50e4d
7
+ data.tar.gz: 2045b0b5002585b6805cafee4acd08df08ce36c4e119a742288662c64624dd8938003ee3d216cd4fd01f1d38a501f297660ca6e6cbb125bfcd39e79ebdefe028
@@ -6,6 +6,18 @@ Please notice that this change log contains changes for upcoming releases as wel
6
6
 
7
7
  ## Changes:
8
8
 
9
+ #### Change log v.0.7.31
10
+
11
+ **Security**: a heap-overflow vulnerability was fixed in the WebSocket parser. This attack could have been triggered remotely by a maliciously crafted message-header. Credit to Dane (4cad@silvertoque) for exposing this issue and providing a Python script demonstrating the attack.
12
+
13
+ It's recommended that all iodine users update to the latest version.
14
+
15
+ #### Change log v.0.7.30
16
+
17
+ **Update**: (`cli`) added support for the `-pid` flag - stores the master processes PID in a file.
18
+
19
+ **Update**: (`cli`) added support for the `-config` (`-C`) flag - loads a configuration file immediately after loading iodine.
20
+
9
21
  #### Change log v.0.7.29
10
22
 
11
23
  **Fix**: fixed an issue where `env['rack.input'].read(nil, nil)` would return `nil` instead of `""` on zero-content requests (i.e., an empty POST request). Credit to @thexa4 (Max Maton) for exposing this issue and providing a POC for debugging (issue #71).
@@ -272,19 +272,19 @@ print_help:
272
272
  switch ((size_t)type) {
273
273
  case FIO_CLI_STRING__TYPE_I:
274
274
  fprintf(stderr,
275
- " \x1B[1m%.*s\x1B[0m\x1B[2m <>\x1B[0m%*s\t(same as "
276
- "\x1B[1m%.*s\x1B[0m)\n",
275
+ " \x1B[1m%.*s\x1B[0m\x1B[2m <>\x1B[0m%*s\t\x1B[2msame as "
276
+ "%.*s\x1B[0m\n",
277
277
  (int)(tmp - start), p + start, padding, "", first_len, p);
278
278
  break;
279
279
  case FIO_CLI_BOOL__TYPE_I:
280
280
  fprintf(stderr,
281
- " \x1B[1m%.*s\x1B[0m %*s\t(same as \x1B[1m%.*s\x1B[0m)\n",
281
+ " \x1B[1m%.*s\x1B[0m %*s\t\x1B[2msame as %.*s\x1B[0m\n",
282
282
  (int)(tmp - start), p + start, padding, "", first_len, p);
283
283
  break;
284
284
  case FIO_CLI_INT__TYPE_I:
285
285
  fprintf(stderr,
286
- " \x1B[1m%.*s\x1B[0m\x1B[2m ##\x1B[0m%*s\t(same as "
287
- "\x1B[1m%.*s\x1B[0m)\n",
286
+ " \x1B[1m%.*s\x1B[0m\x1B[2m ##\x1B[0m%*s\t\x1B[2msame as "
287
+ "%.*s\x1B[0m\n",
288
288
  (int)(tmp - start), p + start, padding, "", first_len, p);
289
289
  break;
290
290
  }
@@ -373,16 +373,15 @@ static VALUE iodine_cli_parse(VALUE self) {
373
373
  FIO_CLI_PRINT("\t\t\x1B[4mNote\x1B[0m: to bind to a Unix socket, set "
374
374
  "\x1B[1mport\x1B[0m to 0."),
375
375
  FIO_CLI_PRINT_HEADER("Concurrency:"),
376
- FIO_CLI_INT("-workers -w number of processes to use."),
377
376
  FIO_CLI_INT("-threads -t number of threads per process."),
377
+ FIO_CLI_INT("-workers -w number of processes to use."),
378
378
  FIO_CLI_PRINT("Negative concurrency values "
379
379
  "map to fractions of available CPU cores."),
380
380
  FIO_CLI_PRINT_HEADER("HTTP Settings:"),
381
381
  FIO_CLI_STRING("-public -www public folder, for static file service."),
382
- FIO_CLI_BOOL("-log -v HTTP request logging."),
383
382
  FIO_CLI_INT("-keep-alive -k -tout HTTP keep-alive timeout in seconds "
384
383
  "(0..255). Default: 40s"),
385
- FIO_CLI_INT("-ping websocket ping interval (0..255). Default: 40s"),
384
+ FIO_CLI_BOOL("-log -v HTTP request logging."),
386
385
  FIO_CLI_INT(
387
386
  "-max-body -maxbd HTTP upload limit in Mega-Bytes. Default: 50Mb"),
388
387
  FIO_CLI_INT("-max-header -maxhd header limit per HTTP request in Kb. "
@@ -390,6 +389,7 @@ static VALUE iodine_cli_parse(VALUE self) {
390
389
  FIO_CLI_PRINT_HEADER("WebSocket Settings:"),
391
390
  FIO_CLI_INT("-max-msg -maxms incoming WebSocket message limit in Kb. "
392
391
  "Default: 250Kb"),
392
+ FIO_CLI_INT("-ping websocket ping interval (0..255). Default: 40s"),
393
393
  FIO_CLI_PRINT_HEADER("SSL/TLS:"),
394
394
  FIO_CLI_BOOL("-tls enable SSL/TLS using a self-signed certificate."),
395
395
  FIO_CLI_STRING(
@@ -406,9 +406,11 @@ static VALUE iodine_cli_parse(VALUE self) {
406
406
  FIO_CLI_INT(
407
407
  "-redis-ping -rp websocket ping interval (0..255). Default: 300s"),
408
408
  FIO_CLI_PRINT_HEADER("Misc:"),
409
+ FIO_CLI_STRING("-config -C configuration file to be loaded."),
410
+ FIO_CLI_STRING("-pid -pidfile name for the pid file to be created."),
411
+ FIO_CLI_INT("-verbosity -V 0..5 server verbosity level. Default: 4"),
409
412
  FIO_CLI_BOOL(
410
- "-warmup --preload warm up the application. CAREFUL! with workers."),
411
- FIO_CLI_INT("-verbosity -V 0..5 server verbosity level. Default: 4"));
413
+ "-warmup --preload warm up the application. CAREFUL! with workers."));
412
414
 
413
415
  /* copy values from CLI library to iodine */
414
416
  if (fio_cli_get("-V")) {
@@ -521,6 +523,15 @@ static VALUE iodine_cli_parse(VALUE self) {
521
523
  rb_hash_aset(defaults, ID2SYM(rb_intern("filename_")),
522
524
  rb_str_new_cstr(fio_cli_unnamed(0)));
523
525
  }
526
+ if (fio_cli_get("-pid")) {
527
+ VALUE pid_filename = rb_str_new_cstr(fio_cli_get("-pid"));
528
+ rb_hash_aset(defaults, ID2SYM(rb_intern("pid_")), pid_filename);
529
+ rb_hash_aset(defaults, ID2SYM(rb_intern("pid")), pid_filename);
530
+ }
531
+ if (fio_cli_get("-config")) {
532
+ VALUE conf_filename = rb_str_new_cstr(fio_cli_get("-config"));
533
+ rb_hash_aset(defaults, ID2SYM(rb_intern("conf_")), conf_filename);
534
+ }
524
535
 
525
536
  /* create `filename` String, cleanup and return */
526
537
  fio_cli_end();
@@ -403,9 +403,13 @@ websocket_buffer_peek(void *buffer, uint64_t len) {
403
403
  if (len < 10)
404
404
  return (struct websocket_packet_info_s){0, (uint8_t)(10 + mask_l),
405
405
  mask_f};
406
- return (struct websocket_packet_info_s){
407
- websocket_str2u64(((uint8_t *)buffer + 2)), (uint8_t)(10 + mask_l),
408
- mask_f};
406
+ {
407
+ uint64_t msg_len = websocket_str2u64(((uint8_t *)buffer + 2));
408
+ if (msg_len >> 62)
409
+ return (struct websocket_packet_info_s){0, 0, 0};
410
+ return (struct websocket_packet_info_s){msg_len, (uint8_t)(10 + mask_l),
411
+ mask_f};
412
+ }
409
413
  default:
410
414
  return (struct websocket_packet_info_s){len_indicator,
411
415
  (uint8_t)(2 + mask_l), mask_f};
@@ -421,6 +425,13 @@ static uint64_t websocket_consume(void *buffer, uint64_t len, void *udata,
421
425
  uint8_t require_masking) {
422
426
  volatile struct websocket_packet_info_s info =
423
427
  websocket_buffer_peek(buffer, len);
428
+ if (!info.head_length) {
429
+ #if DEBUG
430
+ fprintf(stderr, "ERROR: WebSocket protocol error - malicious header.\n");
431
+ #endif
432
+ websocket_on_protocol_error(udata);
433
+ return 0;
434
+ }
424
435
  if (info.head_length + info.packet_length > len)
425
436
  return len;
426
437
  uint64_t reminder = len;
@@ -188,6 +188,23 @@ Iodine::DEFAULT_SETTINGS[:address] ||= nil
188
188
  ### Initialize Redis if set in CLI
189
189
  Iodine::PubSub.default = Iodine::PubSub::Redis.new(Iodine::DEFAULT_SETTINGS[:redis_], ping: Iodine::DEFAULT_SETTINGS[:redis_ping_]) if Iodine::DEFAULT_SETTINGS[:redis_]
190
190
 
191
+ ### PID file generation
192
+ if Iodine::DEFAULT_SETTINGS[:pid_]
193
+ pid_filename = Iodine::DEFAULT_SETTINGS[:pid_]
194
+ Iodine::DEFAULT_SETTINGS.delete :pid_
195
+ pid_filename << "iodine.pid" if(pid_filename[-1] == '/')
196
+ if File.exist?(pid_filename)
197
+ raise "pid filename shold point to a valid file name (not a folder)!" if(!File.file?(pid_filename))
198
+ File.delete(pid_filename)
199
+ end
200
+ Iodine.on_state(:pre_start) do
201
+ IO.binwrite(pid_filename, "#{Process.pid}\r\n")
202
+ end
203
+ Iodine.on_state(:on_finish) do
204
+ File.delete(pid_filename)
205
+ end
206
+ end
207
+
191
208
  ### Puma / Thin DSL compatibility - depracated (DSLs are evil)
192
209
 
193
210
  if(!defined?(after_fork))
@@ -246,6 +263,11 @@ if(!defined?(before_fork))
246
263
  end
247
264
 
248
265
 
266
+ #############
267
+ ## At end of loading
249
268
 
250
-
251
-
269
+ ### Load configuration filer
270
+ if Iodine::DEFAULT_SETTINGS[:conf_]
271
+ require Iodine::DEFAULT_SETTINGS[:conf_]
272
+ Iodine::DEFAULT_SETTINGS.delete :conf_
273
+ end
@@ -1,3 +1,3 @@
1
1
  module Iodine
2
- VERSION = '0.7.29'.freeze
2
+ VERSION = '0.7.31'.freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: iodine
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.7.29
4
+ version: 0.7.31
5
5
  platform: ruby
6
6
  authors:
7
7
  - Boaz Segev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-04-01 00:00:00.000000000 Z
11
+ date: 2019-05-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -202,7 +202,7 @@ licenses:
202
202
  - MIT
203
203
  metadata:
204
204
  allowed_push_host: https://rubygems.org
205
- post_install_message: 'Thank you for installing Iodine 0.7.29.
205
+ post_install_message: 'Thank you for installing Iodine 0.7.31.
206
206
 
207
207
  '
208
208
  rdoc_options: []