[Mongrel] [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack

Ian C. Blenke ian at blenke.com
Thu Oct 26 17:31:46 EDT 2006


Zed A. Shaw wrote:

>What's this "patch for svn rev 356" you speak of?  Is it something I should include?
>  
>

I stole it blindly from Michael Moen's mongrel-users list posts recently:

    http://rubyforge.org/pipermail/mongrel-users/2006-October/001928.html
    http://rubyforge.org/pipermail/mongrel-users/2006-October/001938.html

I figured that a few lines couldn't hurt:

    mongrel$ svn diff -r 355:356 trunk/

    Index: trunk/lib/mongrel.rb
    ===================================================================
    --- trunk/lib/mongrel.rb        (revision 355)
    +++ trunk/lib/mongrel.rb        (revision 356)
    @@ -219,7 +219,9 @@
             read_body(remain, content_length, dispatcher)
           end

    -      @body.rewind if body
    +      raise HttpParserError.new("BAD CLIENT: Actual body length 
does not match Content-Length") if @body.pos != content_length
    +
    +      @body.rewind if @body
         end


    @@ -687,7 +689,6 @@
                   reap_dead_workers("max processors")
                 else
                   thread = Thread.new(client) {|c| process_client(c) }
    -              thread.abort_on_exception = true
                   thread[:started_on] = Time.now
                   @workers.add(thread)
   

- Ian C. Blenke <ian at blenke.com> http://ian.blenke.com/



More information about the Mongrel-users mailing list