about summary refs log tree commit homepage
path: root/rainbows.gemspec
DateCommit message (Collapse)
2010-04-19Rainbows! 0.91.1 - use a less-broken parser from Unicorn v0.91.1
This release fixes a denial-of-service vector for deployments exposed directly to untrusted clients. The HTTP parser in Unicorn <= 0.97.0 would trip an assertion (killing the associated worker process) on invalid Content-Length headers instead of raising an exception. Since Rainbows! and Zbatery supports multiple clients per worker process, all clients connected to the worker process that hit the assertion would be aborted. Deployments behind nginx are _not_ affected by this bug, as nginx will reject clients that send invalid Content-Length headers. The status of deployments behind other HTTP-aware proxies is unknown. Deployments behind a non-HTTP-aware proxy (or no proxy at all) are certainly affected by this DoS. Users are strongly encouraged to upgrade as soon as possible, there are no other changes besides this bug fix from Rainbows! 0.91.0 nor Unicorn 0.97.0 This bug affects all previously released versions of Rainbows! and Zbatery.
2010-02-24switch to Unicorn.builder, depend on Unicorn 0.97.0+
The Unicorn.builder helper will help us avoid namespace conflicts inside config.ru, allowing us to pass tests. While we're at it, port some tests over from the latest unicorn.git for dealing with bad configs.
2010-02-13gemspec: bump dependency on Unicorn to avoid leak
The HTTP parser in Unicorn <= 0.96.0 did not use the Ruby API correctly. While this bug did not affect Unicorn itself, Rainbows! allocates a new Unicorn::HttpParser object for every client connection and Unicorn did not properly setup the parser object to be freed.
2010-01-07Update docs + tests to reflect Rev 0.3.2 release
Rev 0.3.2 makes performance with Threads* under Ruby 1.8 tolerable.
2009-12-29gemspec: clamp down unicorn dependency to < 0.97.0
We may be making some changes to Unicorn 0.97.0 and allow us to share more code.
2009-12-22gemspec: loosen Unicorn dependency
Unicorn 0.96.x should be released once Rack 1.1 is out.
2009-11-29update gem dependency recommendations
2009-11-25Gemcutter prep, fix RubyGems capitalization
2009-11-15Rakefile: add raa_update task
2009-11-13bump versions since we depend on Unicorn::ClientShutdown
2009-11-05ev_core: remove Tempfile usage once again
We're simply too uncomfortable with the weird GC issues associated with Tempfile and having linked temporary files at all. Instead just depend on the #size-aware TmpIO class that Unicorn 0.94.0 provides for us.
2009-10-30bump Unicorn dependency to (consistently) pass tests
Unicorn 0.93.5 came to be so the heartbeat tests could pass consistently.
2009-10-27gemspec: bump up Unicorn dep version to 0.93.4
It's easier to support especially for Thread* models which are affected by the BSD stdio weirdness 0.93.4 works around.
2009-10-27revactor: require 0.1.5, remove 0.1.4 workarounds
Also new are added basic HTTP tests for UNIX domain socket handling (for all models, now, of course).
2009-10-26update gem dependencies in comments/local.mk.sample
Rack 1.0.1 is out and works nicely.
2009-10-05Avoid naming names in LICENSE/README files
Everything is logged in git anyways and it'll be easier to hand off to somebody else.
2009-10-05summary: s/slow apps/sleepy apps/g
I think "sleepy" is a better term than "slow" here. "slow" can mean apps that are CPU/memory bandwidth-bound, and Rainbows! sucks at those.
2009-10-05huge documentation revamp
2009-10-04doc updates; use "Rainbows!", not "Rainbows"
Also add notes about development things and the configuration language which uses "Rainbows!". Calling ourselves "Rainbows!" will help us be taken even more seriously than if the project were just called "Rainbows"
2009-10-02initial revision
No tests yet, but the old "gossamer" and "rainbows" branches seem to be basically working.