passenger 4.0.44 → 4.0.45

data/ext/common/ApplicationPool2/AppTypes.cpp

@@ -30,7 +30,12 @@
 namespace Passenger {
 namespace ApplicationPool2 {
 
-// Don't forget to update ApplicationPool2::Options::getStartCommand() too.
+/* If you update this structure, also update the following:
+ * - ApplicationPool2::Options::getStartCommand()
+ * - lib/phusion_passenger/standalone/app_finder.rb
+ * - The documentation for `PassengerAppEnv` (Apache) and `passenger_app_env` (Nginx)
+ * - The Developer Guide, section "Executing the loader or preloader"
+ */
 const AppTypeDefinition appTypeDefinitions[] = {
 	{ PAT_RACK, "rack", "config.ru", "Passenger RackApp" },
 	{ PAT_WSGI, "wsgi", "passenger_wsgi.py", "Passenger WsgiApp" },

data/ext/common/ApplicationPool2/Implementation.cpp

@@ -1290,7 +1290,7 @@ Session::getGupid() const {
 	return getProcess()->gupid;
 }
 
-int
+unsigned int
 Session::getStickySessionId() const {
 	return getProcess()->stickySessionId;
 }

data/ext/common/ApplicationPool2/Session.h

@@ -108,7 +108,7 @@ public:
 	const string &getConnectPassword() const;
 	pid_t getPid() const;
 	const string &getGupid() const;
-	int getStickySessionId() const;
+	unsigned int getStickySessionId() const;
 	const GroupPtr getGroup() const;
 	void requestOOBW();
 	int kill(int signo);

data/ext/common/Constants.h

@@ -36,7 +36,7 @@
 #define DEFAULT_BACKEND_ACCOUNT_RIGHTS Account::DETACH
 
 
-	#define APACHE2_DOC_URL "http://www.modrails.com/documentation/Users%20guide%20Apache.html"
+	#define APACHE2_DOC_URL "https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html"
 
 	#define DEB_APACHE_MODULE_PACKAGE "libapache2-mod-passenger"
 
@@ -68,6 +68,8 @@
 
 	#define DEFAULT_START_TIMEOUT 90000
 
+	#define DEFAULT_STICKY_SESSIONS_COOKIE_NAME "_passenger_route"
+
 	#define DEFAULT_THREAD_COUNT 1
 
 	#define DEFAULT_UNION_STATION_GATEWAY_ADDRESS "gateway.unionstationapp.com"
@@ -76,19 +78,19 @@
 
 	#define DEFAULT_WEB_APP_USER "nobody"
 
-	#define ENTERPRISE_URL "http://www.phusionpassenger.com/enterprise"
+	#define ENTERPRISE_URL "https://www.phusionpassenger.com/enterprise"
 
 	#define FEEDBACK_FD 3
 
-	#define INDEX_DOC_URL "http://www.modrails.com/documentation/Users%20guide.html"
+	#define INDEX_DOC_URL "https://www.phusionpassenger.com/documentation/Users%20guide.html"
 
 	#define MESSAGE_SERVER_MAX_PASSWORD_SIZE 100
 
 	#define MESSAGE_SERVER_MAX_USERNAME_SIZE 100
 
-	#define NGINX_DOC_URL "http://www.modrails.com/documentation/Users%20guide%20Nginx.html"
+	#define NGINX_DOC_URL "https://www.phusionpassenger.com/documentation/Users%20guide%20Nginx.html"
 
-	#define PASSENGER_VERSION "4.0.44"
+	#define PASSENGER_VERSION "4.0.45"
 
 	#define POOL_HELPER_THREAD_STACK_SIZE 262144
 
@@ -114,11 +116,11 @@
 
 	#define SERVER_INSTANCE_DIR_STRUCTURE_MINOR_VERSION 0
 
-	#define STANDALONE_DOC_URL "http://www.modrails.com/documentation/Users%20guide%20Standalone.html"
+	#define STANDALONE_DOC_URL "https://www.phusionpassenger.com/documentation/Users%20guide%20Standalone.html"
 
 	#define STANDALONE_NGINX_CONFIGURE_OPTIONS "--with-cc-opt='-Wno-error' --without-http_fastcgi_module --without-http_scgi_module --without-http_uwsgi_module --with-http_gzip_static_module --with-http_stub_status_module --with-http_ssl_module"
 
-	#define SUPPORT_URL "http://www.phusionpassenger.com/support"
+	#define SUPPORT_URL "https://www.phusionpassenger.com/documentation_and_support"
 
 
 #endif /* _PASSENGER_CONSTANTS_H */

data/ext/common/Utils/HttpHeaderBufferer.h

@@ -28,6 +28,7 @@
 #include <string>
 #include <algorithm>
 #include <cstddef>
+#include <cstring>
 #include <cassert>
 #include <StaticString.h>
 #include <Utils/StreamBoyerMooreHorspool.h>
@@ -41,7 +42,8 @@ using namespace std;
  *
  * Feed data until acceptingInput() is false. The entire HTTP header
  * will become available through getData(). Non-HTTP header data is
- * not consumed and will not be included in getData().
+ * not consumed and will not be included in getData(). 100-Continue
+ * messages are ignored.
  *
  * This class has zero-copy support. If the first feed already contains
  * an entire HTTP header getData() will point to the fed data. Otherwise
@@ -77,6 +79,13 @@ private:
 		char padding[SBMH_SIZE(4)];
 	} u;
 	
+	bool is100Continue(const StaticString &buffer) const {
+		return buffer.size() >= sizeof("HTTP/1.1 100 Continue\r\n") - 1
+			&& memcmp(buffer.data(), "HTTP/1.", sizeof("HTTP/1.") - 1) == 0
+			&& memcmp(buffer.data() + sizeof("HTTP/1.1 ") - 1,
+				"100 Continue\r\n", sizeof("100 Continue\r\n") - 1) == 0;
+	}
+
 public:
 	HttpHeaderBufferer() {
 		sbmh_init(&u.terminatorFinder,
@@ -114,8 +123,13 @@ public:
 				(const unsigned char *) data,
 				feedSize);
 			if (u.terminatorFinder.found) {
-				state = DONE;
-				this->data = StaticString(data, accepted);
+				if (is100Continue(StaticString(data, accepted))) {
+					reset();
+					accepted += feed(data + accepted, size - accepted);
+				} else {
+					state = DONE;
+					this->data = StaticString(data, accepted);
+				}
 			} else if (feedSize == max) {
 				state = ERROR;
 				this->data = StaticString(data, accepted);
@@ -135,7 +149,12 @@ public:
 			buffer.append(data, accepted);
 			this->data = buffer;
 			if (u.terminatorFinder.found) {
-				state = DONE;
+				if (is100Continue(buffer)) {
+					reset();
+					accepted += feed(data + accepted, size - accepted);
+				} else {
+					state = DONE;
+				}
 			} else if (buffer.size() == (size_t) max) {
 				state = ERROR;
 			}

data/ext/common/Utils/StrIntUtils.h

@@ -144,6 +144,41 @@ string replaceAll(const string &str, const string &toFind, const string &replace
  */
 string strip(const StaticString &str);
 
+/**
+ * Given a pointer to a NULL-terminated string, update it to a
+ * position where all leading whitespaces (0x20) have been skipped.
+ */
+inline void
+skipLeadingWhitespaces(const char **data) {
+	while (**data == ' ') {
+		(*data)++;
+	}
+}
+
+/**
+ * Given a pointer to a string and its end, update the begin pointer to a
+ * position where all leading whitespaces (0x20) have been skipped.
+ * The pointer will not be moved past `end`.
+ */
+inline void
+skipLeadingWhitespaces(const char **data, const char *end) {
+	while (*data < end && **data == ' ') {
+		(*data)++;
+	}
+}
+
+/**
+ * Given a string and a pointer to its position within it, update the pointer
+ * to a position where all trailing whitespaces (0x20) have been skipped.
+ * The pointer will not be moved before `begin`.
+ */
+inline void
+skipTrailingWhitespaces(const char *begin, const char **pos) {
+	while (*pos > begin && (*pos)[-1] == ' ') {
+		(*pos)--;
+	}
+}
+
 /**
  * Convert anything to a string.
  */

data/ext/common/Utils/StringScanning.h

@@ -29,6 +29,7 @@
 #include <cstdlib>
 #include <string>
 #include <StaticString.h>
+#include <Utils/StrIntUtils.h>
 
 
 /**
@@ -58,13 +59,6 @@ using namespace std;
 
 struct ParseException {};
 
-inline void
-_skipLeadingWhitespaces(const char **data) {
-	while (**data == ' ') {
-		(*data)++;
-	}
-}
-
 /**
  * Scan the given data for the first word that appears on the first line.
  * Leading whitespaces (but not newlines) are ignored. If a word is found
@@ -78,7 +72,7 @@ _skipLeadingWhitespaces(const char **data) {
  */
 inline StaticString
 readNextWord(const char **data) {
-	_skipLeadingWhitespaces(data);
+	skipLeadingWhitespaces(data);
 	if (**data == '\n' || **data == '\0') {
 		throw ParseException();
 	}
@@ -201,7 +195,7 @@ readNextWordAsDouble(const char **data) {
  */
 inline string
 readRestOfLine(const char *data) {
-	_skipLeadingWhitespaces(&data);
+	skipLeadingWhitespaces(&data);
 	// Rest of line is allowed to be empty.
 	if (*data == '\n' || *data == '\0') {
 		return "";
@@ -251,7 +245,7 @@ skipToNextLine(const char **data) {
  */
 inline StaticString
 readNextSentence(const char **data, char terminator) {
-	_skipLeadingWhitespaces(data);
+	skipLeadingWhitespaces(data);
 	if (**data == '\n' || **data == '\0' || **data == terminator) {
 		throw ParseException();
 	}

data/ext/common/agents/HelperAgent/RequestHandler.h

@@ -85,24 +85,22 @@
                present?   header present?       protocol
     ---------------------------------------------------------------------------------------------
 
-    GET/HEAD   -          Y                     -              Reject request[1]
+    GET/HEAD   Y          Y                     -              Reject request[1]
     Other      Y          -                     -              Reject request[2]
 
-    -          N          N                     http_session   Set requestBodyLength=0, keep socket open when done forwarding.
     GET/HEAD   Y          N                     http_session   Set requestBodyLength=-1, keep socket open when done forwarding.
-    Other      N          Y                     http_session   Keep socket open when done forwarding. If Transfer-Encoding is
+    -          N          N                     http_session   Set requestBodyLength=0, keep socket open when done forwarding.
+    -          N          Y                     http_session   Keep socket open when done forwarding. If Transfer-Encoding is
                                                                chunked, rechunck the body during forwarding.
 
-    -          N          N                     session        Set requestBodyLength=0, half-close app socket when done forwarding.
     GET/HEAD   Y          N                     session        Set requestBodyLength=-1, half-close app socket when done forwarding.
-    Other      N          Y                     session        Half-close app socket when done forwarding.
+    -          N          N                     session        Set requestBodyLength=0, half-close app socket when done forwarding.
+    -          N          Y                     session        Half-close app socket when done forwarding.
     ---------------------------------------------------------------------------------------------
 
     [1] Supporting situations in which there is both an HTTP request body and WebSocket data
-        is way too complicated. The RequestHandler code is complicated enough as it is.
-        Furthermore, GET requests with a body, although legal, are almost nonexistent and
-        support by other servers are shaky at best. For these reasons, we don't bother
-        supporting GET requests with body at all.
+        is way too complicated. The RequestHandler code is complicated enough as it is,
+        so we choose not to support requests like these.
     [2] RFC 6455 states that WebSocket upgrades may only happen over GET requests.
         We don't bother supporting non-WebSocket upgrades.
 
@@ -1135,11 +1133,37 @@ private:
 		// Add sticky session ID.
 		if (client->stickySession && client->session != NULL) {
 			StaticString cookieName = getStickySessionCookieName(client);
+			// Note that we do NOT set HttpOnly. If we set that flag then Chrome
+			// doesn't send cookies over WebSocket handshakes. Confirmed on Chrome 25.
 			headerData.append("Set-Cookie: ");
 			headerData.append(cookieName.data(), cookieName.size());
 			headerData.append("=");
 			headerData.append(toString(client->session->getStickySessionId()));
-			headerData.append("; HttpOnly\r\n");
+			headerData.append("\r\n");
+
+			// Invalidate all cookies with a different route.
+			// 
+			// TODO: This is not entirely correct. Clients MAY send multiple Cookie
+			// headers, although this is in practice extremely rare.
+			// http://stackoverflow.com/questions/16305814/are-multiple-cookie-headers-allowed-in-an-http-request
+			StaticString cookieHeader = client->scgiParser.getHeader("HTTP_COOKIE");
+			vector< pair<StaticString, StaticString> > cookies;
+			pair<StaticString, StaticString> cookie;
+
+			parseCookieHeader(cookieHeader, cookies);
+
+			foreach (cookie, cookies) {
+				if (cookie.first == cookieName) {
+					unsigned int stickySessionId = stringToUint(cookie.second);
+					if (stickySessionId != client->session->getStickySessionId()) {
+						headerData.append("Set-Cookie: ");
+						headerData.append(cookie.first.data(), cookie.first.size());
+						headerData.append("=");
+						headerData.append(cookie.second.data(), cookie.second.size());
+						headerData.append("; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT\r\n");
+					}
+				}
+			}
 		}
 
 		// Add Date header. https://code.google.com/p/phusion-passenger/issues/detail?id=485
@@ -1206,6 +1230,7 @@ private:
 						disconnectWithError(client, "application response format error (invalid header)");
 					} else {
 						// Now that we have a full header, do something with it.
+						RH_TRACE(client, 3, "Response header fully buffered");
 						client->responseHeaderSeen = true;
 						StaticString header = client->responseHeaderBufferer.getData();
 						if (processResponseHeader(client, header)) {
@@ -1776,18 +1801,10 @@ private:
 		const bool requestIsGetOrHead = requestMethod == "GET" || requestMethod == "HEAD";
 		const bool requestBodyOffered = contentLength != -1 || !transferEncoding.empty();
 
-		// Reject requests that have a request body even though it's not allowed,
-		// and requests that have an Upgrade header even though it's not allowed.
-		if (requestIsGetOrHead) {
-			if (requestBodyOffered) {
-				reportBadRequestAndDisconnect(client, "Bad request (GET and HEAD requests may not contain a request body)");
-				return;
-			}
-		} else {
-			if (!upgrade.empty()) {
-				reportBadRequestAndDisconnect(client, "Bad request (Upgrade header is only allowed for non-GET and non-HEAD requests)");
-				return;
-			}
+		// Reject requests that have a request body and an Upgrade header.
+		if (!requestIsGetOrHead && !upgrade.empty()) {
+			reportBadRequestAndDisconnect(client, "Bad request (Upgrade header is only allowed for non-GET and non-HEAD requests)");
+			return;
 		}
 
 		if (!requestBodyOffered) {
@@ -1960,48 +1977,72 @@ private:
 		}
 	}
 
+	void parseCookieHeader(const StaticString &header,
+		vector< pair<StaticString, StaticString> > &cookies) const
+	{
+		// See http://stackoverflow.com/questions/6108207/definite-guide-to-valid-cookie-values
+		// for syntax grammar.
+		vector<StaticString> parts;
+		vector<StaticString>::const_iterator it, it_end;
+
+		split(header, ';', parts);
+		cookies.reserve(parts.size());
+		it_end = parts.end();
+
+		for (it = parts.begin(); it != it_end; it++) {
+			const char *begin = it->data();
+			const char *end = it->data() + it->size();
+			const char *sep;
+
+			skipLeadingWhitespaces(&begin, end);
+			skipTrailingWhitespaces(begin, &end);
+
+			// Find the separator ('=').
+			sep = (const char *) memchr(begin, '=', end - begin);
+			if (sep != NULL) {
+				// Valid cookie. Otherwise, ignore it.
+				const char *nameEnd = sep;
+				const char *valueBegin = sep + 1;
+
+				skipTrailingWhitespaces(begin, &nameEnd);
+				skipLeadingWhitespaces(&valueBegin, end);
+
+				cookies.push_back(make_pair(
+					StaticString(begin, nameEnd - begin),
+					StaticString(valueBegin, end - valueBegin)
+				));
+			}
+		}
+	}
+
 	void setStickySessionId(const ClientPtr &client) {
 		ScgiRequestParser &parser = client->scgiParser;
-		if (parser.getHeader("PASSENGER_STICKY_SESSION") == "true") {
+		if (parser.getHeader("PASSENGER_STICKY_SESSIONS") == "true") {
 			// TODO: This is not entirely correct. Clients MAY send multiple Cookie
 			// headers, although this is in practice extremely rare.
 			// http://stackoverflow.com/questions/16305814/are-multiple-cookie-headers-allowed-in-an-http-request
-			StaticString cookie = parser.getHeader("HTTP_COOKIE");
+			StaticString cookieHeader = parser.getHeader("HTTP_COOKIE");
 			StaticString cookieName = getStickySessionCookieName(client);
-			vector<StaticString> parts;
+			vector< pair<StaticString, StaticString> > cookies;
+			pair<StaticString, StaticString> cookie;
 
 			client->stickySession = true;
-			split(cookie, ';', parts);
-			foreach (StaticString part, parts) {
-				const char *begin = part.data();
-				const char *end = part.data() + part.size();
-				const char *sep;
-
-				// Skip leading whitespace in the name.
-				while (begin < end && *begin == ' ') {
-					begin++;
-				}
-				part = StaticString(begin, end - begin);
-
-				// Find the separator ('=').
-				sep = (const char *) memchr(begin, '=', end - begin);
-				if (sep != NULL) {
-					StaticString name(begin, sep - begin);
-					if (name == cookieName) {
-						// This cookie matches the one we're looking for.
-						StaticString value(sep + 1, end - (sep + 1));
-						client->options.stickySessionId = stringToUint(value);
-						return;
-					}
+			parseCookieHeader(cookieHeader, cookies);
+			foreach (cookie, cookies) {
+				if (cookie.first == cookieName) {
+					// This cookie matches the one we're looking for.
+					client->options.stickySessionId = stringToUint(cookie.second);
+					return;
 				}
 			}
 		}
 	}
 
 	StaticString getStickySessionCookieName(const ClientPtr &client) const {
-		StaticString value = client->scgiParser.getHeader("PASSENGER_STICKY_SESSION_COOKIE_NAME");
+		StaticString value = client->scgiParser.getHeader("PASSENGER_STICKY_SESSIONS_COOKIE_NAME");
 		if (value.empty()) {
-			return StaticString("_passenger_route", sizeof("_passenger_route") - 1);
+			return StaticString(DEFAULT_STICKY_SESSIONS_COOKIE_NAME,
+				sizeof(DEFAULT_STICKY_SESSIONS_COOKIE_NAME) - 1);
 		} else {
 			return value;
 		}

data/ext/nginx/CacheLocationConfig.c

@@ -246,6 +246,20 @@ u_char int_buf[32], *end, *buf, *pos;
 		}
 	
 
+	
+		if (conf->sticky_sessions != NGX_CONF_UNSET) {
+			len += 26;
+			len += conf->sticky_sessions ? sizeof("true") : sizeof("false");
+		}
+	
+
+	
+		if (conf->sticky_sessions_cookie_name.data != NULL) {
+			len += 38;
+			len += conf->sticky_sessions_cookie_name.len + 1;
+		}
+	
+
 
 /* Create string */
 buf = pos = ngx_pnalloc(cf->pool, len);
@@ -604,6 +618,32 @@ buf = pos = ngx_pnalloc(cf->pool, len);
 		}
 	
 
+	
+		if (conf->sticky_sessions != NGX_CONF_UNSET) {
+			pos = ngx_copy(pos,
+				"PASSENGER_STICKY_SESSIONS",
+				26);
+			if (conf->sticky_sessions) {
+				pos = ngx_copy(pos, "true", sizeof("true"));
+			} else {
+				pos = ngx_copy(pos, "false", sizeof("false"));
+			}
+		}
+	
+
+	
+		if (conf->sticky_sessions_cookie_name.data != NULL) {
+			pos = ngx_copy(pos,
+				"PASSENGER_STICKY_SESSIONS_COOKIE_NAME",
+				38);
+			pos = ngx_copy(pos,
+				conf->sticky_sessions_cookie_name.data,
+				conf->sticky_sessions_cookie_name.len);
+			*pos = '\0';
+			pos++;
+		}
+	
+
 
 conf->options_cache.data = buf;
 conf->options_cache.len = pos - buf;