mongrel 1.1.3 → 1.1.4

data/CHANGELOG

@@ -1,4 +1,6 @@
 
+v1.1.4. Fix camping handler. Correct treatment of @throttle parameter.
+
 v1.1.3. Fix security flaw of DirHandler; reported on mailing list.
 
 v1.1.2. Fix worker termination bug; fix JRuby 1.0.3 load order issue; fix require issue on systems without Rubygems.

data/ext/http11/http11.c

@@ -384,7 +384,7 @@ void Init_http11()
   DEF_GLOBAL(server_protocol, "SERVER_PROTOCOL");
   DEF_GLOBAL(server_protocol_value, "HTTP/1.1");
   DEF_GLOBAL(http_host, "HTTP_HOST");
-  DEF_GLOBAL(mongrel_version, "Mongrel 1.1.3"); /* XXX Why is this defined here? */
+  DEF_GLOBAL(mongrel_version, "Mongrel 1.1.4"); /* XXX Why is this defined here? */
   DEF_GLOBAL(server_software, "SERVER_SOFTWARE");
   DEF_GLOBAL(port_80, "80");
 

data/ext/http11_java/org/jruby/mongrel/Http11.java

@@ -215,7 +215,7 @@ public class Http11 extends RubyObject {
 
                 req.setInstanceVariable("@http_body", RubyString.newString(runtime, new ByteList(hp.parser.buffer, at, length)));
                 req.aset(runtime.newString("SERVER_PROTOCOL"),runtime.newString("HTTP/1.1"));
-                req.aset(runtime.newString("SERVER_SOFTWARE"),runtime.newString("Mongrel 1.1.3"));
+                req.aset(runtime.newString("SERVER_SOFTWARE"),runtime.newString("Mongrel 1.1.4"));
             }
         };
 

data/lib/mongrel.rb

@@ -96,7 +96,7 @@ module Mongrel
       @host = host
       @port = port
       @workers = ThreadGroup.new
-      @throttle = throttle
+      @throttle = throttle / 100.0
       @num_processors = num_processors
       @timeout = timeout
     end
@@ -286,7 +286,7 @@ module Mongrel
                 thread[:started_on] = Time.now
                 @workers.add(thread)
   
-                sleep @throttle/100.0 if @throttle > 0
+                sleep @throttle if @throttle > 0
               end
             rescue StopServer
               break

data/lib/mongrel/const.rb

@@ -65,7 +65,7 @@ module Mongrel
     REQUEST_URI='REQUEST_URI'.freeze
     REQUEST_PATH='REQUEST_PATH'.freeze
 
-    MONGREL_VERSION="1.1.3".freeze
+    MONGREL_VERSION="1.1.4".freeze
 
     MONGREL_TMP_BASE="mongrel".freeze
 

data/lib/mongrel/handlers.rb

@@ -8,7 +8,6 @@ require 'mongrel/stats'
 require 'zlib'
 require 'yaml'
 
-
 module Mongrel
 
   # You implement your application handler with this.  It's very light giving
@@ -102,7 +101,8 @@ module Mongrel
   #
   # If you pass nil as the root path, it will not check any locations or
   # expand any paths. This lets you serve files from multiple drives
-  # on win32.
+  # on win32. It should probably not be used in a public-facing way
+  # without additional checks.
   #
   # The default content type is "text/plain; charset=ISO-8859-1" but you
   # can change it anything you want using the DirHandler.default_content_type
@@ -120,7 +120,7 @@ module Mongrel
     # You give it the path to the directory root and and optional listing_allowed and index_html
     def initialize(path, listing_allowed=true, index_html="index.html")
       @path = File.expand_path(path) if path
-      @listing_allowed=listing_allowed
+      @listing_allowed = listing_allowed
       @index_html = index_html
       @default_content_type = "application/octet-stream".freeze
     end
@@ -132,12 +132,8 @@ module Mongrel
       # Add the drive letter or root path
       req_path = File.join(@path, req_path) if @path
       req_path = File.expand_path req_path
-     
-      # do not remove the check for @path at the beginning, it's what prevents
-      # the serving of arbitrary files (and good programmer Rule #1 Says: If
-      # you don't understand something, it's not because I'm stupid, it's
-      # because you are).
-      if req_path.index(@path) == 0 and File.exist? req_path
+      
+      if File.exist? req_path and (!@path or req_path.index(@path) == 0)
         # It exists and it's in the right location
         if File.directory? req_path
           # The request is for a directory
@@ -157,7 +153,7 @@ module Mongrel
           return req_path
         end
       else
-        # does not exist or isn't in the right spot or isn't valid because not start with @path
+        # does not exist or isn't in the right spot
         return nil
       end
     end

data/mongrel.gemspec

@@ -1,16 +1,16 @@
 
-# Gem::Specification for Mongrel-1.1.3
+# Gem::Specification for Mongrel-1.1.4
 # Originally generated by Echoe
 
 Gem::Specification.new do |s|
   s.name = %q{mongrel}
-  s.version = "1.1.3"
+  s.version = "1.1.4"
 
   s.specification_version = 2 if s.respond_to? :specification_version=
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Zed A. Shaw"]
-  s.date = %q{2008-01-01}
+  s.date = %q{2008-02-29}
   s.default_executable = %q{mongrel_rails}
   s.description = %q{A small fast HTTP library and server that runs Rails, Camping, Nitro and Iowa apps.}
   s.email = %q{}
@@ -42,9 +42,10 @@ end
 # e = Echoe.new("mongrel") do |p|
 #   p.summary = "A small fast HTTP library and server that runs Rails, Camping, Nitro and Iowa apps."
 #   p.author ="Zed A. Shaw"
-#   p.clean_pattern = ['ext/http11/*.{bundle,so,o,obj,pdb,lib,def,exp}', 'lib/*.{bundle,so,o,obj,pdb,lib,def,exp}', 'ext/http11/Makefile', 'pkg', 'lib/*.bundle', '*.gem', 'site/output', '.config', 'lib/http11.jar', 'ext/http11_java/classes', 'coverage']
+#   p.clean_pattern = ['ext/http11/*.{bundle,so,o,obj,pdb,lib,def,exp}', 'lib/*.{bundle,so,o,obj,pdb,lib,def,exp}', 'ext/http11/Makefile', 'pkg', 'lib/*.bundle', '*.gem', 'site/output', '.config', 'lib/http11.jar', 'ext/http11_java/classes', 'coverage', 'doc']
 #   p.url = "http://mongrel.rubyforge.org"
 #   p.rdoc_pattern = ['README', 'LICENSE', 'CHANGELOG', 'COPYING', 'lib/**/*.rb', 'doc/**/*.rdoc']
+#   p.docs_host = 'mongrel.cloudbur.st:/home/eweaver/www/mongrel/htdocs/web'
 #   p.ignore_pattern = /^(pkg|site|projects|doc|log)|CVS|\.log/
 #   p.ruby_version = '>=1.8.4'
 #   p.dependencies = ['gem_plugin >=0.2.3']  
@@ -225,44 +226,8 @@ end
 # #### Site upload tasks
 # 
 # namespace :site do
-# 
-#   desc "Package and upload .gem files and .tgz files for Mongrel and all subprojects to http://mongrel.rubyforge.org/releases/"
-#   task :source => [:package_all] do
-#     rm_rf "pkg/gems"
-#     rm_rf "pkg/tars"
-#     mkdir_p "pkg/gems"
-#     mkdir_p "pkg/tars"
-# 
-#     FileList["**/*.gem"].each { |gem| mv gem, "pkg/gems" }
-#     FileList["**/*.tgz"].each {|tgz| mv tgz, "pkg/tars" }
-# 
-#     sh "rm -rf pkg/mongrel*"
-#     sh "gem generate_index -d pkg"
-#     sh "scp -r CHANGELOG pkg/* rubyforge.org:/var/www/gforge-projects/mongrel/releases/"
-#     sh "svn log -v > SVN_LOG"
-#     sh "scp -r SVN_LOG pkg/* rubyforge.org:/var/www/gforge-projects/mongrel/releases/"
-#     rm "SVN_LOG"
-#   end
-# 
-#   desc "Upload the website"
-#   task :web do
-#     # Requires the 'webgem' gem
-#     sh "cd site; webgen; webgen; curl 'http://feed43.com/mongrel.xml' > output/rss.xml; rsync -azv --no-perms --no-times output/* rubyforge.org:/var/www/gforge-projects/mongrel/"
-#     puts "\nMake sure to re-run the site update 6 hours later if you updated the news. This delay is required for Feed43 to pick up the site changes."
-#   end
-# 
-#   desc "Upload the rdocs"
-#   task :rdoc => [:doc] do
-#     sh "rsync -azv --no-perms --no-times doc/* rubyforge.org:/var/www/gforge-projects/mongrel/rdoc/"
-#     sh "cd projects/gem_plugin; rake site:rdoc"
-#   end
-# 
 #   desc "Upload the coverage report"
 #   task :coverage => [:rcov] do
-#     sh "rsync -azv --no-perms --no-times test/coverage/* rubyforge.org:/var/www/gforge-projects/mongrel/coverage/" rescue nil
+#     sh "rsync -azv --no-perms --no-times test/coverage/* mongrel.cloudbur.st:/home/eweaver/www/mongrel/htdocs/web/coverage" rescue nil
 #   end
-# 
-#   desc "Upload the website, the rdocs, and the coverage report"
-#   task :all => [:clean, :web, :rdoc, :coverage]
-# 
 # end

data/test/test_handlers.rb

@@ -49,11 +49,17 @@ class HandlersTest < Test::Unit::TestCase
         uri "/relative", :handler => Mongrel::DirHandler.new(nil, listing_allowed=false, index_html="none")
       end
     end
+    
+    File.open("/tmp/testfile", 'w') do
+      # Do nothing
+    end
+    
     @config.run
   end
 
   def teardown
     @config.stop(false, true)
+    File.delete "/tmp/testfile"
   end
 
   def test_more_web_server
@@ -66,14 +72,28 @@ class HandlersTest < Test::Unit::TestCase
           "http://localhost:9998/files_nodir/rdoc/",
           "http://localhost:9998/status",
     ])
-
-    # XXX This can't possibly have good coverage.
     check_status res, String
   end
+  
+  def test_nil_dirhandler
+    # Camping uses this internally
+    handler = Mongrel::DirHandler.new(nil, false)  
+    assert handler.can_serve("/tmp/testfile")
+    # Not a bug! A nil @file parameter is the only circumstance under which
+    # we are allowed to serve any existing file
+    assert handler.can_serve("../../../../../../../../../../tmp/testfile")
+  end
+  
+  def test_non_nil_dirhandler_is_not_vulnerable_to_path_traversal
+    # The famous security bug of Mongrel 1.1.2
+    handler = Mongrel::DirHandler.new("/doc", false)
+    assert_nil handler.can_serve("/tmp/testfile")
+    assert_nil handler.can_serve("../../../../../../../../../../tmp/testfile")
+  end
 
   def test_deflate
     Net::HTTP.start("localhost", 9998) do |h|
-      # test that no accept-encoding returns a non-deflated response
+      # Test that no accept-encoding returns a non-deflated response
       req = h.get("/dumb")
       assert(
         !req['Content-Encoding'] ||

data/test/test_ws.rb

@@ -94,7 +94,7 @@ class WebServerTest < Test::Unit::TestCase
 
   def test_num_processors_overload
     redirect_test_io do
-      assert_raises Errno::ECONNRESET, Errno::EPIPE, Errno::ECONNABORTED, Errno::EINVAL do
+      assert_raises Errno::ECONNRESET, Errno::EPIPE, Errno::ECONNABORTED, Errno::EINVAL, IOError do
         tests = [
           Thread.new { do_test(@valid_request, 1) },
           Thread.new { do_test(@valid_request, 10) },

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: mongrel
 version: !ruby/object:Gem::Version 
-  version: 1.1.3
+  version: 1.1.4
 platform: ruby
 authors: 
 - Zed A. Shaw
@@ -52,7 +52,7 @@ cert_chain:
   ALN3mi/9z0Mf1YroliUgF0v5Yw==
   -----END CERTIFICATE-----
 
-date: 2008-01-01 00:00:00 -05:00
+date: 2008-02-29 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency