iodine 0.7.31 → 0.7.32

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of iodine might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4333832730c27a0b0f866df2eded6d5afc707d747cec5b4e56f5303252b27b42
4
- data.tar.gz: 6eb945b021821b45fb2db140f268c7c4e6910d6ce1ad18b14425eaec491ea677
3
+ metadata.gz: 1176ef5b01b31595fe7cccdf6cad949354b5f733ae870a1b56be511d21b0a860
4
+ data.tar.gz: 15d65ddf131dbb20b40d4aceb6709abff2634b9a68c00e2a2f54480cbca1f9da
5
5
  SHA512:
6
- metadata.gz: 24e5b2c190e6ee10777dcc1d7acaba00913c978bdb35a7a43b743ff62a7b344837797cb131ed3c88ac464919e80779fb16058e32b3fac6c95e11fdb9c6a50e4d
7
- data.tar.gz: 2045b0b5002585b6805cafee4acd08df08ce36c4e119a742288662c64624dd8938003ee3d216cd4fd01f1d38a501f297660ca6e6cbb125bfcd39e79ebdefe028
6
+ metadata.gz: 12e5c3799f8f85ec60f1e5a2c596e88d5fc4f8dd1704a82a9159c4d3a6894ac48d5adcf7f36c8ab346ad764573f361090790dc96938cf4804cd4369cb2879ce6
7
+ data.tar.gz: 8fedb5972019f22d202d5bad886c01645caadbe864d9b959d2a11f99c70ca038d4d8042b78751c05151da2a516c02f8aeccb05fb8a283d45e533726166cafd88
@@ -6,6 +6,10 @@ Please notice that this change log contains changes for upcoming releases as wel
6
6
 
7
7
  ## Changes:
8
8
 
9
+ #### Change log v.0.7.32
10
+
11
+ **Fix**: (`http1`) fixes a race-condition between the `on_ready` and `on_data` events, that could result in the `on_data` event being called twice instead of once (only possible with some clients). On multi-threaded workers, this could result in the CPU spinning while the task lock remains busy. Credit to Néstor Coppi (@Shelvak) for exposing the issue and providing an example application with detailed reports. Issue #75.
12
+
9
13
  #### Change log v.0.7.31
10
14
 
11
15
  **Security**: a heap-overflow vulnerability was fixed in the WebSocket parser. This attack could have been triggered remotely by a maliciously crafted message-header. Credit to Dane (4cad@silvertoque) for exposing this issue and providing a Python script demonstrating the attack.
@@ -554,7 +554,7 @@ static int http1_on_request(http1_parser_s *parser) {
554
554
  if (p->request.method && !p->stop)
555
555
  http_finish(&p->request);
556
556
  h1_reset(p);
557
- return fio_is_closed(p->p.uuid);
557
+ return !p->close && fio_is_closed(p->p.uuid);
558
558
  }
559
559
  /** called when a response was received. */
560
560
  static int http1_on_response(http1_parser_s *parser) {
@@ -563,7 +563,7 @@ static int http1_on_response(http1_parser_s *parser) {
563
563
  if (p->request.status_str && !p->stop)
564
564
  http_finish(&p->request);
565
565
  h1_reset(p);
566
- return fio_is_closed(p->p.uuid);
566
+ return !p->close && fio_is_closed(p->p.uuid);
567
567
  }
568
568
  /** called when a request method is parsed. */
569
569
  static int http1_on_method(http1_parser_s *parser, char *method,
@@ -666,7 +666,9 @@ static int http1_on_body_chunk(http1_parser_s *parser, char *data,
666
666
 
667
667
  /** called when a protocol error occurred. */
668
668
  static int http1_on_error(http1_parser_s *parser) {
669
- FIO_LOG_DEBUG("HTTP parser error.");
669
+ FIO_LOG_DEBUG("HTTP parser error at HTTP/1.1 buffer position %zu/%zu",
670
+ parser->state.next - parser2http(parser)->buf,
671
+ parser2http(parser)->buf_len);
670
672
  fio_close(parser2http(parser)->p.uuid);
671
673
  return -1;
672
674
  }
@@ -722,6 +724,7 @@ static inline void http1_consume_data(intptr_t uuid, http1pr_s *p) {
722
724
  throttle:
723
725
  /* throttle busy clients (slowloris) */
724
726
  fio_suspend(uuid);
727
+ p->stop |= 4;
725
728
  FIO_LOG_DEBUG("(HTTP/1,1) throttling client at %.*s",
726
729
  (int)fio_peer_addr(uuid).len, fio_peer_addr(uuid).data);
727
730
  }
@@ -752,7 +755,11 @@ static void http1_on_close(intptr_t uuid, fio_protocol_s *protocol) {
752
755
  /** called when the connection was closed, but will not run concurrently */
753
756
  static void http1_on_ready(intptr_t uuid, fio_protocol_s *protocol) {
754
757
  /* resume slow clients from suspension */
755
- fio_force_event(uuid, FIO_EVENT_ON_DATA);
758
+ http1pr_s *p = (http1pr_s *)protocol;
759
+ if ((p->stop & 4)) {
760
+ p->stop ^= 4;
761
+ fio_force_event(uuid, FIO_EVENT_ON_DATA);
762
+ }
756
763
  (void)protocol;
757
764
  }
758
765
 
@@ -769,6 +776,7 @@ static void http1_on_data_first_time(intptr_t uuid, fio_protocol_s *protocol) {
769
776
 
770
777
  /* ensure future reads skip this first time HTTP/2.0 test */
771
778
  p->p.protocol.on_data = http1_on_data;
779
+ /* Test fot HTTP/2.0 pre-knowledge */
772
780
  if (i >= 24 && !memcmp(p->buf, "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n", 24)) {
773
781
  FIO_LOG_WARNING("client claimed unsupported HTTP/2 prior knowledge.");
774
782
  fio_close(uuid);
@@ -1,3 +1,3 @@
1
1
  module Iodine
2
- VERSION = '0.7.31'.freeze
2
+ VERSION = '0.7.32'.freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: iodine
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.7.31
4
+ version: 0.7.32
5
5
  platform: ruby
6
6
  authors:
7
7
  - Boaz Segev
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-05-17 00:00:00.000000000 Z
11
+ date: 2019-06-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -202,7 +202,7 @@ licenses:
202
202
  - MIT
203
203
  metadata:
204
204
  allowed_push_host: https://rubygems.org
205
- post_install_message: 'Thank you for installing Iodine 0.7.31.
205
+ post_install_message: 'Thank you for installing Iodine 0.7.32.
206
206
 
207
207
  '
208
208
  rdoc_options: []