iodine 0.7.29 → 0.7.31

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e99acc46ab75628917f405a1ef7aa08c38434f03b0210b2fd1300ddbf4cf5874
-  data.tar.gz: 05a8b2b8bcddebcb85f61257e9ab9aa762a72afba0f7b4dc569e32d1a97ebeb6
+  metadata.gz: 4333832730c27a0b0f866df2eded6d5afc707d747cec5b4e56f5303252b27b42
+  data.tar.gz: 6eb945b021821b45fb2db140f268c7c4e6910d6ce1ad18b14425eaec491ea677
 SHA512:
-  metadata.gz: bb038db0614b5c2bbda474c3c5ce25ba14ec0e70990ef799532754340842cec8aec44e52c8b3d93eec76a5d10e055948c0f3d8a5ee9eee92bf18449b8ef49f60
-  data.tar.gz: d5c078cf9d5a30d2f35c34935bb24a556c65680642c269544730cc420971de12eb90b8497303b4dfd6d971e8d9b22399a37bb21b85d804fecdf49f922b123772
+  metadata.gz: 24e5b2c190e6ee10777dcc1d7acaba00913c978bdb35a7a43b743ff62a7b344837797cb131ed3c88ac464919e80779fb16058e32b3fac6c95e11fdb9c6a50e4d
+  data.tar.gz: 2045b0b5002585b6805cafee4acd08df08ce36c4e119a742288662c64624dd8938003ee3d216cd4fd01f1d38a501f297660ca6e6cbb125bfcd39e79ebdefe028

data/CHANGELOG.md

@@ -6,6 +6,18 @@ Please notice that this change log contains changes for upcoming releases as wel
 
 ## Changes:
 
+#### Change log v.0.7.31
+
+**Security**: a heap-overflow vulnerability was fixed in the WebSocket parser. This attack could have been triggered remotely by a maliciously crafted message-header. Credit to Dane (4cad@silvertoque) for exposing this issue and providing a Python script demonstrating the attack. 
+
+It's recommended that all iodine users update to the latest version.
+
+#### Change log v.0.7.30
+
+**Update**: (`cli`) added support for the `-pid` flag - stores the master processes PID in a file.
+
+**Update**: (`cli`) added support for the `-config` (`-C`) flag - loads a configuration file immediately after loading iodine.
+
 #### Change log v.0.7.29
 
 **Fix**: fixed an issue where `env['rack.input'].read(nil, nil)` would return `nil` instead of `""` on zero-content requests (i.e., an empty POST request). Credit to @thexa4 (Max Maton) for exposing this issue and providing a POC for debugging (issue #71).

data/ext/iodine/fio_cli.c

@@ -272,19 +272,19 @@ print_help:
       switch ((size_t)type) {
       case FIO_CLI_STRING__TYPE_I:
         fprintf(stderr,
-                " \x1B[1m%.*s\x1B[0m\x1B[2m <>\x1B[0m%*s\t(same as "
-                "\x1B[1m%.*s\x1B[0m)\n",
+                " \x1B[1m%.*s\x1B[0m\x1B[2m <>\x1B[0m%*s\t\x1B[2msame as "
+                "%.*s\x1B[0m\n",
                 (int)(tmp - start), p + start, padding, "", first_len, p);
         break;
       case FIO_CLI_BOOL__TYPE_I:
         fprintf(stderr,
-                " \x1B[1m%.*s\x1B[0m   %*s\t(same as \x1B[1m%.*s\x1B[0m)\n",
+                " \x1B[1m%.*s\x1B[0m   %*s\t\x1B[2msame as %.*s\x1B[0m\n",
                 (int)(tmp - start), p + start, padding, "", first_len, p);
         break;
       case FIO_CLI_INT__TYPE_I:
         fprintf(stderr,
-                " \x1B[1m%.*s\x1B[0m\x1B[2m ##\x1B[0m%*s\t(same as "
-                "\x1B[1m%.*s\x1B[0m)\n",
+                " \x1B[1m%.*s\x1B[0m\x1B[2m ##\x1B[0m%*s\t\x1B[2msame as "
+                "%.*s\x1B[0m\n",
                 (int)(tmp - start), p + start, padding, "", first_len, p);
         break;
       }

data/ext/iodine/iodine.c

@@ -373,16 +373,15 @@ static VALUE iodine_cli_parse(VALUE self) {
       FIO_CLI_PRINT("\t\t\x1B[4mNote\x1B[0m: to bind to a Unix socket, set "
                     "\x1B[1mport\x1B[0m to 0."),
       FIO_CLI_PRINT_HEADER("Concurrency:"),
-      FIO_CLI_INT("-workers -w number of processes to use."),
       FIO_CLI_INT("-threads -t number of threads per process."),
+      FIO_CLI_INT("-workers -w number of processes to use."),
       FIO_CLI_PRINT("Negative concurrency values "
                     "map to fractions of available CPU cores."),
       FIO_CLI_PRINT_HEADER("HTTP Settings:"),
       FIO_CLI_STRING("-public -www public folder, for static file service."),
-      FIO_CLI_BOOL("-log -v HTTP request logging."),
       FIO_CLI_INT("-keep-alive -k -tout HTTP keep-alive timeout in seconds "
                   "(0..255). Default: 40s"),
-      FIO_CLI_INT("-ping websocket ping interval (0..255). Default: 40s"),
+      FIO_CLI_BOOL("-log -v HTTP request logging."),
       FIO_CLI_INT(
           "-max-body -maxbd HTTP upload limit in Mega-Bytes. Default: 50Mb"),
       FIO_CLI_INT("-max-header -maxhd header limit per HTTP request in Kb. "
@@ -390,6 +389,7 @@ static VALUE iodine_cli_parse(VALUE self) {
       FIO_CLI_PRINT_HEADER("WebSocket Settings:"),
       FIO_CLI_INT("-max-msg -maxms incoming WebSocket message limit in Kb. "
                   "Default: 250Kb"),
+      FIO_CLI_INT("-ping websocket ping interval (0..255). Default: 40s"),
       FIO_CLI_PRINT_HEADER("SSL/TLS:"),
       FIO_CLI_BOOL("-tls enable SSL/TLS using a self-signed certificate."),
       FIO_CLI_STRING(
@@ -406,9 +406,11 @@ static VALUE iodine_cli_parse(VALUE self) {
       FIO_CLI_INT(
           "-redis-ping -rp websocket ping interval (0..255). Default: 300s"),
       FIO_CLI_PRINT_HEADER("Misc:"),
+      FIO_CLI_STRING("-config -C configuration file to be loaded."),
+      FIO_CLI_STRING("-pid -pidfile name for the pid file to be created."),
+      FIO_CLI_INT("-verbosity -V 0..5 server verbosity level. Default: 4"),
       FIO_CLI_BOOL(
-          "-warmup --preload warm up the application. CAREFUL! with workers."),
-      FIO_CLI_INT("-verbosity -V 0..5 server verbosity level. Default: 4"));
+          "-warmup --preload warm up the application. CAREFUL! with workers."));
 
   /* copy values from CLI library to iodine */
   if (fio_cli_get("-V")) {
@@ -521,6 +523,15 @@ static VALUE iodine_cli_parse(VALUE self) {
     rb_hash_aset(defaults, ID2SYM(rb_intern("filename_")),
                  rb_str_new_cstr(fio_cli_unnamed(0)));
   }
+  if (fio_cli_get("-pid")) {
+    VALUE pid_filename = rb_str_new_cstr(fio_cli_get("-pid"));
+    rb_hash_aset(defaults, ID2SYM(rb_intern("pid_")), pid_filename);
+    rb_hash_aset(defaults, ID2SYM(rb_intern("pid")), pid_filename);
+  }
+  if (fio_cli_get("-config")) {
+    VALUE conf_filename = rb_str_new_cstr(fio_cli_get("-config"));
+    rb_hash_aset(defaults, ID2SYM(rb_intern("conf_")), conf_filename);
+  }
 
   /* create `filename` String, cleanup and return */
   fio_cli_end();

data/ext/iodine/websocket_parser.h

@@ -403,9 +403,13 @@ websocket_buffer_peek(void *buffer, uint64_t len) {
     if (len < 10)
       return (struct websocket_packet_info_s){0, (uint8_t)(10 + mask_l),
                                               mask_f};
-    return (struct websocket_packet_info_s){
-        websocket_str2u64(((uint8_t *)buffer + 2)), (uint8_t)(10 + mask_l),
-        mask_f};
+    {
+      uint64_t msg_len = websocket_str2u64(((uint8_t *)buffer + 2));
+      if (msg_len >> 62)
+        return (struct websocket_packet_info_s){0, 0, 0};
+      return (struct websocket_packet_info_s){msg_len, (uint8_t)(10 + mask_l),
+                                              mask_f};
+    }
   default:
     return (struct websocket_packet_info_s){len_indicator,
                                             (uint8_t)(2 + mask_l), mask_f};
@@ -421,6 +425,13 @@ static uint64_t websocket_consume(void *buffer, uint64_t len, void *udata,
                                   uint8_t require_masking) {
   volatile struct websocket_packet_info_s info =
       websocket_buffer_peek(buffer, len);
+  if (!info.head_length) {
+#if DEBUG
+    fprintf(stderr, "ERROR: WebSocket protocol error - malicious header.\n");
+#endif
+    websocket_on_protocol_error(udata);
+    return 0;
+  }
   if (info.head_length + info.packet_length > len)
     return len;
   uint64_t reminder = len;

data/lib/iodine.rb

@@ -188,6 +188,23 @@ Iodine::DEFAULT_SETTINGS[:address] ||= nil
 ### Initialize Redis if set in CLI
 Iodine::PubSub.default = Iodine::PubSub::Redis.new(Iodine::DEFAULT_SETTINGS[:redis_], ping: Iodine::DEFAULT_SETTINGS[:redis_ping_]) if Iodine::DEFAULT_SETTINGS[:redis_]
 
+### PID file generation
+if Iodine::DEFAULT_SETTINGS[:pid_]
+  pid_filename = Iodine::DEFAULT_SETTINGS[:pid_]
+  Iodine::DEFAULT_SETTINGS.delete :pid_
+  pid_filename << "iodine.pid" if(pid_filename[-1] == '/')
+  if File.exist?(pid_filename)
+    raise "pid filename shold point to a valid file name (not a folder)!" if(!File.file?(pid_filename))
+    File.delete(pid_filename)
+  end
+  Iodine.on_state(:pre_start) do
+    IO.binwrite(pid_filename, "#{Process.pid}\r\n")
+  end
+  Iodine.on_state(:on_finish) do
+    File.delete(pid_filename)
+  end
+end
+
 ### Puma / Thin DSL compatibility - depracated (DSLs are evil)
 
 if(!defined?(after_fork))
@@ -246,6 +263,11 @@ if(!defined?(before_fork))
 end
 
 
+#############
+## At end of loading
 
-
-
+### Load configuration filer
+if Iodine::DEFAULT_SETTINGS[:conf_]
+  require Iodine::DEFAULT_SETTINGS[:conf_]
+  Iodine::DEFAULT_SETTINGS.delete :conf_
+end

data/lib/iodine/version.rb

@@ -1,3 +1,3 @@
 module Iodine
-  VERSION = '0.7.29'.freeze
+  VERSION = '0.7.31'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: iodine
 version: !ruby/object:Gem::Version
-  version: 0.7.29
+  version: 0.7.31
 platform: ruby
 authors:
 - Boaz Segev
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-04-01 00:00:00.000000000 Z
+date: 2019-05-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -202,7 +202,7 @@ licenses:
 - MIT
 metadata:
   allowed_push_host: https://rubygems.org
-post_install_message: 'Thank you for installing Iodine 0.7.29.
+post_install_message: 'Thank you for installing Iodine 0.7.31.
 
 '
 rdoc_options: []