[Mongrel] [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack

Ian C. Blenke ian at blenke.com
Fri Oct 27 10:39:20 EDT 2006


Sam Giffney wrote:

>Anyway I fixed this by running Ian's patch with
>
>http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/~checkout~/ruby/lib/cgi.rb?rev=1.68.2.18;content-type=application%2Fx-ruby
>
>which is the current cgi.rb from the ruby1.8 branch rather than the Main branch.
>  
>

Yeah, I think Zed's gem fix is the best approach - it patches the 
missing end boundary spin problem without any other side effects:
   
    gem install cgi_multipart_eof_fix 
--source=http://mongrel.rubyforge.org/releases

I've dropped the cgi.rb update directly from CVS and moved to this fix 
myself, which seems to work just fine.

Kudos Zed.

 - Ian C. Blenke <ian at blenke.com> http://ian.blenke.com/



More information about the Mongrel-users mailing list