[Mongrel] [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack
Ian C. Blenke
ian at blenke.com
Fri Oct 27 10:39:20 EDT 2006
Sam Giffney wrote:
>Anyway I fixed this by running Ian's patch with
>
>http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/~checkout~/ruby/lib/cgi.rb?rev=1.68.2.18;content-type=application%2Fx-ruby
>
>which is the current cgi.rb from the ruby1.8 branch rather than the Main branch.
>
>
Yeah, I think Zed's gem fix is the best approach - it patches the
missing end boundary spin problem without any other side effects:
gem install cgi_multipart_eof_fix
--source=http://mongrel.rubyforge.org/releases
I've dropped the cgi.rb update directly from CVS and moved to this fix
myself, which seems to work just fine.
Kudos Zed.
- Ian C. Blenke <ian at blenke.com> http://ian.blenke.com/
More information about the Mongrel-users
mailing list