passenger 5.1.0 → 5.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d5ca56d2326b729cc6c4f2368298916d7cd5b8b9
-  data.tar.gz: 3f00d42375d7ebbfd44dd39cb2a344d3d2b6a50a
+  metadata.gz: e732defdfa61deaff680b48bf2fd783134050c1b
+  data.tar.gz: f8d8c05559321f7f6d6059789be3d6623993b58d
 SHA512:
-  metadata.gz: dae6078363636179a8518af992befdf05d3cc177d3f33d1d73903b3471d111bb93f3edc321ff0fe433dc13db8d09147e46956f039835967600f25a66792925de
-  data.tar.gz: d0284ac79900ce6829686b5d87d78be45bd369b203ea2443e674af4e5658942258635fb4ba975c53ef91dcf1761871f22df237ca830c054de31aaafbdf3be6c3
+  metadata.gz: aa29f680f64378dacedb351de1f1674b731a01233da13347c932bf83d38157782d2451dc4b64f966c402d7f265c01bf53cef7863ab58a57618e89f95ad1c33bb
+  data.tar.gz: dba2a004f2557967fcf5c49680af2487a654e4d0c843f2e5fe12c49e93d2839ae4fa6ae68463f61051886f586a79ccde5bd1ece95941cbf3787e7a78862b8fdc

data/CHANGELOG

@@ -1,5 +1,19 @@
-Next version (not yet released)
--------------------------------
+Release 5.1.1
+-------------
+
+ * The precompiled version of the PassengerAgent binary (used for e.g. gem installs) now configures (statically linked) libcurl with system keystore, so that the new security update check can successfully validate certs.
+ * Fixes some false positives (logging) from the new Node and Meteor cluster warning system. Logging is less repetitive and has extra debug info. Closes GH-1905.
+ * Updates the upload-progress module in the Nginx Debian package. The module version that we linked against in 5.1.0 was 0.9.2, but due to a bug in that version the module didn't work.
+ * The security update check now reports whether libcurl + SSL backend are statically linked to Passenger, in which case the check also needs to warn about relevant OpenSSL vulnerabilities in the linked library.
+ * Increases the allowed line lengths emmited by apps at startup.
+ * Adds support for the unary 'not' operator in the Union Station filter language.
+ * [Enterprise] Add missing flying-passenger integration mode to security update check. 
+ * Fixes support for Rails 5.0.1 Action Cable. Specifically, we now support the `options` argument in the `write_nonblock` method in hijacked Rack IO sockets.
+ * [Apache] Introduces a small delay to prevent running the Security Update Checker twice at startup.
+
+
+Release 5.1.0
+--------------
 
  * Upgrades union_station_hooks_core to version 2.1.2.
  * [Enterprise] When running a Rails app in multithreaded mode, Passenger Enterprise automatically tags Rails logs with the current thread number. This makes it possible to distinguish logs generated by different threads.

data/build/packaging.rb

@@ -404,7 +404,7 @@ task 'package:initiate_binaries_building' do
   request = Net::HTTP::Post.new(uri.request_uri)
   request.set_form_data("token" => jenkins_token)
   response = http.request(request)
-  if response.code != 200 && response.body != "Scheduled.\n"
+  if response.code != 201
     abort "*** ERROR: Cannot initiate building of binaries:\n" +
       "Status: #{response.code}\n\n" +
       response.body
@@ -451,7 +451,7 @@ task 'package:initiate_debian_building' do
   request = Net::HTTP::Post.new(uri.request_uri)
   request.set_form_data("token" => jenkins_token)
   response = http.request(request)
-  if response.code != 200 && response.body != "Scheduled.\n"
+  if response.code != 201
     abort "*** ERROR: Cannot initiate building of Debian packages:\n" +
       "Status: #{response.code}\n\n" +
       response.body
@@ -498,7 +498,7 @@ task 'package:initiate_rpm_building' do
   request = Net::HTTP::Post.new(uri.request_uri)
   request.set_form_data("token" => jenkins_token)
   response = http.request(request)
-  if response.code != 200 && response.body != "Scheduled.\n"
+  if response.code != 201
     abort "*** ERROR: Cannot initiate building of RPM packages:\n" +
       "Status: #{response.code}\n\n" +
       response.body
@@ -507,7 +507,8 @@ task 'package:initiate_rpm_building' do
 end
 
 task 'package:build_osx_binaries' do
-  sh "env ENTERPRISE=#{is_enterprise?} TESTING=false " \
+  sh "env ENTERPRISE=#{!!is_enterprise?} TESTING=false " \
+    "PASSENGER_ROOT=#{Shellwords.shellescape Dir.pwd} " \
     "./packaging/binaries/integration/publish/macos.sh"
 end
 

data/src/agent/Core/CoreMain.cpp

@@ -787,6 +787,9 @@ initializeSecurityUpdateChecker() {
 		if (!standaloneEngine.empty()) {
 			serverIntegration.append(" " + standaloneEngine);
 		}
+		if (options.get("server_software").find(FLYING_PASSENGER_NAME) != string::npos) {
+			serverIntegration.append(" flying");
+		}
 		string serverVersion = options.get("server_version", false); // not set in case of standalone / builtin
 
 		workingObjects->securityUpdateChecker = new SecurityUpdateChecker(workingObjects->resourceLocator, proxy, serverIntegration, serverVersion);

data/src/agent/Core/SecurityUpdateChecker.h

@@ -57,6 +57,8 @@ private:
 
 	void threadMain() {
 		TRACE_POINT();
+		// Sleep for a short while to allow interruption during the Apache integration double startup procedure, this prevents running the update check twice
+		boost::this_thread::sleep_for(boost::chrono::seconds(2));
 		while (!this_thread::interruption_requested()) {
 			UPDATE_TRACE_POINT();
 			int backoffMin = 0;
@@ -117,7 +119,7 @@ private:
 			case CURLE_SSL_CACERT_BADFILE:
 				error.append(" while connecting to " CHECK_URL_DEFAULT " " +
 						(proxyAddress.empty() ? "" : "using proxy " + proxyAddress) + "; this might happen if the nss backend "
-						"is installed for libcurl instead of gnutls or openssl. If the problem persists, you can also try upgrading "
+						"is installed for libcurl instead of GnuTLS or OpenSSL. If the problem persists, you can also try upgrading "
 						"or reinstalling " SHORT_PROGRAM_NAME);
 				break;
 
@@ -191,9 +193,9 @@ private:
 	 */
 	CURLcode prepareCurlPOST(CURL *curl, string &bodyJsonString, string *responseData, struct curl_slist **chunk) {
 		CURLcode code;
-		
+
 		// Hint for advanced debugging: curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
-		
+
 		if (CURLE_OK != (code = curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1))) {
 			return code;
 		}
@@ -389,6 +391,7 @@ public:
 
 		bodyJson["server_integration"] = serverIntegration;
 		bodyJson["server_version"] = serverVersion;
+		bodyJson["curl_static"] = isCurlStaticallyLinked();
 
 		string nonce;
 		if (!fillNonce(nonce)) {
@@ -416,6 +419,12 @@ public:
 				logUpdateFail("File not readable: " + clientCertPath);
 				break;
 			}
+
+			if (CURLE_OK != (code = setCurlDefaultCaInfo(curl))) {
+				logUpdateFailCurl(code);
+				break;
+			}
+
 			// string localApprovedCert = "/your/ca.crt"; // for testing against a local server
 			// curl_easy_setopt(curl, CURLOPT_CAINFO, localApprovedCert.c_str());
 
@@ -431,6 +440,7 @@ public:
 				break;
 			}
 
+			P_DEBUG("sending: " << bodyJsonString);
 			if (CURLE_OK != (code = sendAndReceive(curl, &responseData, &responseCode))) {
 				logUpdateFailCurl(code);
 				break;
@@ -448,6 +458,7 @@ public:
 				logUpdateFailResponse("json parse", responseData);
 				break;
 			}
+			P_DEBUG("received: " << responseData);
 
 			// 3b. Verify response: signature
 			if (!responseJson.isObject() || !responseJson["data"].isString() || !responseJson["signature"].isString()) {
@@ -490,6 +501,7 @@ public:
 				logUpdateFailResponse("unparseable data", responseData);
 				break;
 			}
+			P_DEBUG("data content (signature OK): " << responseDataJson.toStyledString());
 
 			if (!responseDataJson.isObject() || !responseDataJson["update"].isInt() || !responseDataJson["nonce"].isString()) {
 				logUpdateFailResponse("missing data fields", responseData);

data/src/agent/Core/SpawningKit/SmartSpawner.h

@@ -684,12 +684,12 @@ private:
 		}
 		writeExact(fd, "\n", &timeout);
 
-		result = io.readLine(1024, &timeout);
+		result = io.readLine(1024 * 8, &timeout);
 		if (result == "OK\n") {
 			UPDATE_TRACE_POINT();
 			pid_t spawnedPid;
 
-			spawnedPid = atoi(io.readLine(1024, &timeout).c_str());
+			spawnedPid = atoi(io.readLine(1024 * 8, &timeout).c_str());
 			if (spawnedPid <= 0) {
 				BackgroundIOCapturerPtr stderrCapturer;
 				throwPreloaderSpawnException("An error occurred while starting "

data/src/agent/Core/SpawningKit/Spawner.h

@@ -691,7 +691,7 @@ protected:
 	string readMessageLine(Details &details) {
 		TRACE_POINT();
 		while (true) {
-			string result = details.io.readLine(1024 * 4, &details.timeout);
+			string result = details.io.readLine(1024 * 16, &details.timeout);
 			string line = result;
 			if (!line.empty() && line[line.size() - 1] == '\n') {
 				line.erase(line.size() - 1, 1);

data/src/cxx_supportlib/Constants.h

@@ -80,7 +80,7 @@
 #define PASSENGER_API_VERSION_MAJOR 0
 #define PASSENGER_API_VERSION_MINOR 3
 #define PASSENGER_DEFAULT_USER "nobody"
-#define PASSENGER_VERSION "5.1.0"
+#define PASSENGER_VERSION "5.1.1"
 #define POOL_HELPER_THREAD_STACK_SIZE 262144
 #define PROCESS_SHUTDOWN_TIMEOUT 60
 #define PROCESS_SHUTDOWN_TIMEOUT_DISPLAY "1 minute"

data/src/cxx_supportlib/UnionStationFilterSupport.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2011-2015 Phusion Holding B.V.
+ *  Copyright (c) 2011-2016 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -197,8 +197,7 @@ private:
 		case '=':
 			return matchToken(NOT_EQUALS, 2);
 		default:
-			raiseSyntaxError("unrecognized operator '" + data.substr(pos, 2) + "'");
-			return Token(); // Shut up compiler warning.
+			return matchToken(NOT, 1);
 		};
 	}
 

data/src/cxx_supportlib/Utils/BufferedIO.h

@@ -221,7 +221,7 @@ public:
 	 * @throws SecurityException
 	 * @throws boost::thread_interrupted
 	 */
-	string readLine(unsigned int max = 1024, unsigned long long *timeout = NULL) {
+	string readLine(unsigned int max = 1024 * 8, unsigned long long *timeout = NULL) {
 		string output;
 		readUntil(
 			boost::bind(newlineFound,

data/src/cxx_supportlib/Utils/Curl.h

@@ -1,6 +1,6 @@
 /*
  *  Phusion Passenger - https://www.phusionpassenger.com/
- *  Copyright (c) 2013 Phusion Holding B.V.
+ *  Copyright (c) 2013-2016 Phusion Holding B.V.
  *
  *  "Passenger", "Phusion Passenger" and "Union Station" are registered
  *  trademarks of Phusion Holding B.V.
@@ -198,6 +198,51 @@ setCurlProxy(CURL *curl, const CurlProxyInfo &proxyInfo) {
 	}
 }
 
+inline bool
+isCurlStaticallyLinked() {
+	#ifdef CURL_IS_STATICALLY_LINKED
+		return true;
+	#else
+		return false;
+	#endif
+}
+
+inline CURLcode
+setCurlDefaultCaInfo(CURL *curl) {
+	#ifdef CURL_IS_STATICALLY_LINKED
+		static const char *candidates[] = {
+			// Debian, Ubuntu
+			"/etc/ssl/certs/ca-certificates.crt",
+			// Red Hat, CentOS, Fedora
+			"/etc/pki/tls/certs/ca-bundle.crt",
+			// Older Red Hat
+			"/usr/share/ssl/certs/ca-bundle.crt",
+			// FreeBSD
+			"/usr/local/share/certs/ca-root-nss.crt",
+			// OpenBSD, FreeBSD (symlink)
+			"/etc/ssl/cert.pem",
+			// SUSE
+			"/etc/ssl/certs"
+		};
+		unsigned int i;
+
+		for (i = 0; i < sizeof(candidates) / sizeof(const char *); i++) {
+			switch (getFileType(candidates[i])) {
+			case FT_REGULAR:
+				return curl_easy_setopt(curl, CURLOPT_CAINFO, candidates[i]);
+			case FT_DIRECTORY:
+				return curl_easy_setopt(curl, CURLOPT_CAPATH, candidates[i]);
+			default:
+				break;
+			}
+		}
+
+		return CURLE_SSL_CACERT_BADFILE;
+	#else
+		return CURLE_OK;
+	#endif
+}
+
 } // namespace Passenger
 
 #endif /* _PASSENGER_UTILS_CURL_H_ */

data/src/helper-scripts/node-loader.js

@@ -30,13 +30,29 @@ var os = require('os');
 var fs = require('fs');
 var net = require('net');
 var http = require('http');
+var util = require('util');
+
+var nodeClusterErrCount = 0;
+var meteorClusterErrCount = 0;
 
 function badPackageError(packageName) {
 	return "You required the " + packageName + ", which is incompatible with Passenger, a non-functional shim was returned and your app may still work. However, please remove the related code as soon as possible.";
 }
 
-function errorMockingRequire(packageName, error) {
-	return "Failed to install shim to guard against the " + packageName + ". Error: " + error.message;
+// Logs failure to install shim + extended debug info, but with strict spamming protection.
+function errorMockingRequire(packageName, error, args, count) {
+	if (count > 2) {
+		return; // spam protect against repeated warnings
+	}
+	var msg = "Failed to install shim to guard against the " + packageName + ". Due to: " + error.message + ". Your can safely ignore this warning if you are not using " + packageName;
+	msg += "\n\tNode version: " + process.version + "\tArguments: " + args.length;
+	for (i = 0; i < args.length; i++) {
+		if (i > 9) { // limit the amount of array elements we log
+			break;
+		}
+		msg += "\n\t[" + i + "] " + util.inspect(args[i]).substr(0, 200); // limit the characters per array element
+	};
+	console.error(msg);
 }
 
 //Mock out Node Cluster Module
@@ -45,7 +61,7 @@ var originalRequire = Module.prototype.require;
 Module.prototype.require = function() {
 	try {
 		if (arguments['0'] == 'cluster') {
-			console.error(badPackageError("Node Cluster module"));
+			console.trace(badPackageError("Node Cluster module"));
 			return {
 				disconnect		 : function(){return false;},
 				fork			 : function(){return false;},
@@ -57,13 +73,12 @@ Module.prototype.require = function() {
 				worker			 : false,
 				workers			 : false,
 			};
-		} else {
-			return originalRequire.apply(this, arguments);
 		}
 	} catch (e) {
-		console.error(errorMockingRequire("Node Cluster module", e));
-		return originalRequire.apply(this, arguments);
+		nodeClusterErrCount++;
+		errorMockingRequire("Node Cluster module", e, arguments, nodeClusterErrCount);
 	}
+	return originalRequire.apply(this, arguments);
 };
 
 //Mock out Meteor Cluster Module
@@ -76,7 +91,7 @@ vm.runInThisContext = function() {
 			scriptPath = scriptPath['filename'];
 		}
 		if (scriptPath.indexOf('meteorhacks_cluster') != -1) {
-			console.error(badPackageError("Meteorhacks cluster package"));
+			console.trace(badPackageError("Meteorhacks cluster package"));
 			return (function() {
 				Package['meteorhacks:cluster'] = {
 					Cluster: {
@@ -93,13 +108,12 @@ vm.runInThisContext = function() {
 					}
 				};
 			});
-		} else {
-			return orig_func.apply(this, arguments);
 		}
 	} catch (e) {
-		console.error(errorMockingRequire("Meteorhacks Cluster package", e));
-		return orig_func.apply(this, arguments);
+		meteorClusterErrCount++;
+		errorMockingRequire("Meteorhacks Cluster package", e, arguments, meteorClusterErrCount);
 	}
+	return orig_func.apply(this, arguments);
 };
 
 var LineReader = require('phusion_passenger/line_reader').LineReader;

data/src/ruby_supportlib/phusion_passenger.rb

@@ -31,7 +31,7 @@ module PhusionPassenger
 
   PACKAGE_NAME = 'passenger'
   # Run 'rake src/cxx_supportlib/Constants.h' after changing this number.
-  VERSION_STRING = '5.1.0'
+  VERSION_STRING = '5.1.1'
 
   PREFERRED_NGINX_VERSION = '1.10.2'
   NGINX_SHA256_CHECKSUM = '1045ac4987a396e2fa5d0011daf8987b612dd2f05181b67507da68cbe7d765c2'

data/src/ruby_supportlib/phusion_passenger/utils/unseekable_socket.rb

@@ -117,8 +117,8 @@ module PhusionPassenger
         raise annotate(e)
       end
 
-      def write_nonblock(string)
-        @socket.write_nonblock(string)
+      def write_nonblock(string, *args)
+        @socket.write_nonblock(string, *args)
       rescue => e
         raise annotate(e)
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: passenger
 version: !ruby/object:Gem::Version
-  version: 5.1.0
+  version: 5.1.1
 platform: ruby
 authors:
 - Phusion - http://www.phusion.nl/
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-15 00:00:00.000000000 Z
+date: 2016-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake