From: Lawrence Pit <lawrence.pit@gmail.com>
To: unicorn-public@bogomips.org
Subject: Re: unicorn log attack?
Date: Mon, 1 Feb 2016 16:04:35 +1100 [thread overview]
Message-ID: <CAGHrWsiqS486dqLPw9mZiooLXk2yso-JEtnr1vM02HeP+f_2Ug@mail.gmail.com> (raw)
In-Reply-To: <20160130093453.GA24510@dcvr.yhbt.net>
Hi Eric,
> but that includes emails :)
Yeah, sorry about the email format :[ Hope this time it's as expected.
> Since the backtrace below clearly shows the error happened from
> something your application was doing;
.. if you count ruby MRI and rack as my application. ;) All this
happens way before it touches what I would call my application. But
yes, I could insert my own middleware before the first rack middleware
and deal with it.
> I don't consider it the responsibility of the app server to sanitize it.
fwiw, I agree :) ... similarly, why consider it the responsibility of
the app server to log it? it is an application level error, not a
unicorn error.
Rack's spec doesn't state how to deal with exceptions in return to
@app.call. Python's PEP 0333 says a bit more, along the lines of that
applications should try to trap their own, internal errors. I'll go
for that then.
PS.
> In ancient times (perhaps it was the Mongrel days), the server
> itself would dump the contents of bad HTTP requests for
> debugging; but given the amount of probes/scans I saw: it wasn't
> worth it. We don't even log things like aborted/dropped
> connections.
Yes, nice. :)
The request I'm seeing is also a bad HTTP request (invalid
%-encoding). To illustrate:
curl -v -X POST "http://localhost:8080/?foo=bar%0abaz%xx"
will have unicorn responds with a 400 Bad Request, handling
Unicorn::HttpParserError. The request doesn't enter @app.call(...).
And indeed unicorn doesn't even bother logging anything about this
request.
When sending the same thing as form data:
curl -v -X POST -d "foo=bar%0abaz%xx" "http://localhost:8080/"
then this will result in a 500 error and unicorn will log the posted
value and stacktrace (provided Rack::Request.new(env).POST is called
anywhere and @app doesn't trap its own errors):
app error: invalid %-encoding (bar%0abaz%xx)
(Rack::Utils::InvalidParameterError)
Cheers,
Lawrence
next prev parent reply other threads:[~2016-02-01 5:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <56AAAD0A.8000807@icloud.com>
2016-01-30 9:34 ` unicorn log attack? Eric Wong
2016-02-01 5:04 ` Lawrence Pit [this message]
2016-02-01 9:57 ` Eric Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://yhbt.net/unicorn/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGHrWsiqS486dqLPw9mZiooLXk2yso-JEtnr1vM02HeP+f_2Ug@mail.gmail.com \
--to=lawrence.pit@gmail.com \
--cc=unicorn-public@bogomips.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhbt.net/unicorn.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).