unicorn Ruby/Rack server user+dev discussion/patches/pulls/bugs/help
 help / color / mirror / code / Atom feed
From: Lawrence Pit <lawrence.pit@gmail.com>
To: unicorn-public@bogomips.org
Subject: Re: unicorn log attack?
Date: Mon, 1 Feb 2016 16:04:35 +1100	[thread overview]
Message-ID: <CAGHrWsiqS486dqLPw9mZiooLXk2yso-JEtnr1vM02HeP+f_2Ug@mail.gmail.com> (raw)
In-Reply-To: <20160130093453.GA24510@dcvr.yhbt.net>

Hi Eric,

> but that includes emails :)

Yeah, sorry about the email format :[  Hope this time it's as expected.

> Since the backtrace below clearly shows the error happened from
> something your application was doing;

.. if you count ruby MRI and rack as my application. ;) All this
happens way before it touches what I would call my application. But
yes, I could insert my own middleware before the first rack middleware
and deal with it.

> I don't consider it the responsibility of the app server to sanitize it.

fwiw, I agree :) ... similarly, why consider it the responsibility of
the app server to log it?  it is an application level error, not a
unicorn error.

Rack's spec doesn't state how to deal with exceptions in return to
@app.call. Python's PEP 0333 says a bit more, along the lines of that
applications should try to trap their own, internal errors. I'll go
for that then.


> In ancient times (perhaps it was the Mongrel days), the server
> itself would dump the contents of bad HTTP requests for
> debugging; but given the amount of probes/scans I saw: it wasn't
> worth it.  We don't even log things like aborted/dropped
> connections.

Yes, nice. :)

The request I'm seeing is also a bad HTTP request (invalid
%-encoding). To illustrate:

curl -v -X POST "http://localhost:8080/?foo=bar%0abaz%xx"

will have unicorn responds with a 400 Bad Request, handling
Unicorn::HttpParserError. The request doesn't enter @app.call(...).
And indeed unicorn doesn't even bother logging anything about this

When sending the same thing as form data:

curl -v -X POST -d "foo=bar%0abaz%xx" "http://localhost:8080/"

then this will result in a 500 error and unicorn will log the posted
value and stacktrace (provided Rack::Request.new(env).POST is called
anywhere and @app doesn't trap its own errors):

app error: invalid %-encoding (bar%0abaz%xx)


  reply	other threads:[~2016-02-01  5:04 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <56AAAD0A.8000807@icloud.com>
2016-01-30  9:34 ` Eric Wong
2016-02-01  5:04   ` Lawrence Pit [this message]
2016-02-01  9:57     ` Eric Wong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information: https://yhbt.net/unicorn/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGHrWsiqS486dqLPw9mZiooLXk2yso-JEtnr1vM02HeP+f_2Ug@mail.gmail.com \
    --to=lawrence.pit@gmail.com \
    --cc=unicorn-public@bogomips.org \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this inbox:


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).