Date | Commit message (Collapse) |
|
This release fixes a denial-of-service vector for derived
servers exposed directly to untrusted clients.
This bug does not affect most Unicorn deployments as Unicorn is
only supported with trusted clients (such as nginx) on a LAN.
nginx is known to reject clients that send invalid
Content-Length headers, so any deployments on a trusted LAN
and/or behind nginx are safe.
Servers affected by this bug include (but are not limited to)
Rainbows! and Zbatery. This bug does not affect Thin nor
Mongrel, as neither got the request body filtering treatment
that the Unicorn HTTP parser got in August 2009.
The bug fixed in this release could result in a
denial-of-service as it would trigger a process-wide assertion
instead of raising an exception. For servers such as
Rainbows!/Zbatery that serve multiple clients per worker
process, this could abort all clients connected to the
particular worker process that hit the assertion.
|
|
...instead of tripping an assertion.
This fixes a potential denial-of-service for servers exposed directly
to untrusted clients.
This bug does not affect supported Unicorn deployments as Unicorn is
only supported with trusted clients (such as nginx) on a LAN. nginx is
known to reject clients that send invalid Content-Length headers, so any
deployments on a trusted LAN and/or behind nginx are safe.
Servers affected by this bug include (but are not limited to) Rainbows!
and Zbatery. This does not affect Thin nor Mongrel which never got
request body filtering treatment that the Unicorn HTTP parser got in
August 2009.
|
|
A bunch of small fixes related to startup/configuration and hot
reload issues with HUP:
* Variables in the user-generated config.ru files no longer
risk clobbering variables used in laucher scripts.
* signal handlers are initialized before the pid file is
dropped, so over-eager firing of init scripts won't
mysteriously nuke a process.
* SIGHUP will return app to original state if an updated
config.ru fails to load due to {Syntax,Load}Error.
* unicorn_rails should be Rails 3 compatible out-of-the-box
('unicorn' works as always, and is recommended for Rails 3)
* unicorn_rails is finally "working_directory"-aware when
generating default temporary paths and pid file
* config.ru encoding is the application's default in 1.9,
not forced to binary like many parts of Unicorn.
* configurator learned to handle the "user" directive outside
of after_fork hook (which will always remain supported).
There are also various internal cleanups and possible speedups.
|
|
It's part of the standard Ruby library and will always be loaded
by various modules (Rack::Utils, Tmpdir) so there's no point in
deferring it.
|
|
Allowing the "user" directive outside of after_fork reduces the
cognitive overhead for folks that do not need the complexity of
*_fork hooks. Using Worker#user remains supported as it offers
fine-grained control of user switching.
|
|
|
|
Do not assume the user wants config.ru to be Encoding::BINARY
for 1.9.
|
|
|
|
This lets us reuse code for Zbatery and Rainbows!, too.
|
|
It's a waste of memory bandwidth to do memcpy() when we know
Unicorn::HttpParser (via rb_str_resize()) will allocate new
memory for the string for us. An empty String is "free",
as we've already paid the Object cost regardless.
|
|
We'll use struct members exclusively from now on instead of
throwing ivars into the mix. This allows us to _unofficially_
support direct access to more members easily. Unofficial
extensions may include the ability to splice(2)/tee(2) for
better performance.
This also makes our object size smaller across all Ruby
implementations as well, too (helps Rainbows! out).
|
|
The temporary paths we create to mimic script/server-emulation
did not work when working_directory was used. Now we defer
path creation until after working_directory is bound.
|
|
|
|
We'll use our Rails-only version of Unicorn.builder so
the lambda is safe without another binding.
|
|
The stock config/boot.rb file in a Rails 3 app is much lighter
and does not export any Rails/RAILS_* constants, so we'll wait
until we get config/environment.rb loaded.
|
|
no point in using "next" here
|
|
Copy-on-write will always invalidate it regardless, and
the first request is likely to be slow for any app.
|
|
* Bourne shell - TAP test suite stolen from Rainbows!
* tests currently pass under FreeBSD 7.2
|
|
This was always in my .git/info/exclude so I never noticed
until now.
|
|
this file may be sourced and used later, too
|
|
Not fun, but maybe this can help us spot _real_ problems
more easily in the future.
|
|
* init_globals() is a static function, avoid conflicting
with any potential libraries out there...
* mUnicorn and cHttpParser do not need to be static globals
they're not used outside of Init_unicorn_http().
|
|
We never come close to the signed limits anywhere, so it
should be safe either way, but make paranoid compiler settings
less noisy if possible.
|
|
This should make it easier to reuse code in derivative
servers like Rainbows! and Zbatery. Unfortunately, we
can't depend on Rack::Builder/Rack::Server yet since
Rack 1.1 just got them and notable frameworks (like
Rails 2.3.x) do not fully work with Rack 1.1 yet).
This also fixes subtle issue with config.ru files that could
have variables that conflict with the Unicorn-specific
namespace (this bug still affects "unicorn_rails", which
could use some reworking as well).
|
|
If preload_app is true and Unicorn is HUP-ed with a bad
config.ru, then it would be possible to have Unicorn in a bad
state and constantly throw 500 errors.
We now detect syntax and load errors since they're likely to
appear in modified Rackup files, and will restore the original
app if reloading failed.
|
|
|
|
|
|
We started using upper-case variables a while back, so just
remove the backwards-compatibility clutter.
|
|
First off, this memory leak DOES NOT affect Unicorn itself.
Unicorn allocates the HttpParser once and always reuses it
in every sequential request.
This leak affects applications which repeatedly allocate a new
HTTP parser. Thus this bug affects _all_ deployments of
Rainbows! and Zbatery. These servers allocate a new parser for
every client connection.
I misread the Data_Make_Struct/Data_Wrap_Struct documentation
and ended up passing NULL as the "free" argument instead of -1,
causing the memory to never be freed.
From README.EXT in the MRI source which I misread:
> The free argument is the function to free the pointer
> allocation. If this is -1, the pointer will be just freed.
> The functions mark and free will be called from garbage
> collector.
|
|
Earlier elements of a Struct (in both Ruby and C) are faster
to access, so put more-often accessed elements like :app first.
This does not noticeably affect most applications, but may
matter to some micro benchmarks somewhere...
|
|
we've already got "-*- encoding: binary -*-" in everything
|
|
|
|
This may be used as a basis of other scripts so we need
to stash $1 before we "set -u"
|
|
|
|
Thanks to Michael Guterl for informing us of the issues
and testing the monkey patch.
|
|
This prevents trigger-happy init scripts from reading the pid
file (and thus sending signals) to a not-fully initialized
master process to handle them.
This does NOT fix anything if other processes are sending
signals prematurely without relying on the presence of the pid
file. It's not possible to prevent all cases of this in one
process, even in a purely C application, so we won't bother
trying.
We continue to always defer signal handling to the main loop
anyways, and signals sent to the master process will be
deferred/ignored until Unicorn::HttpServer#join is run.
|
|
This constant hasn't been in active use in our Ruby code for
ages now. All HTTP header constraints are defined in the
C/Ragel HTTP parser and we have tests for them, so there's
no need to repeat ourselves.
|
|
There may be some large-ish internal changes for 0.97.0
|
|
|
|
|
|
This release includes small changes for things allowed by Rack
1.1. It is also now easier to detect if daemonized process
fails to start. Manpages received some minor updates as well.
Rack 1.1 allowed us to make the following environment changes:
* "rack.logger" is now set to the "logger" specified in
the Unicorn config file. This defaults to a Logger
instance pointing to $stderr.
* "rack.version" is now at [1,1]. Unicorn remains
compatible with previous Rack versions if your app
depends on it.
While only specified since Rack 1.1, Unicorn has always exposed
"rack.input" in binary mode (and has ridiculous integration
tests that go outside of Ruby to prove it!).
|
|
* rack-1.1:
http_response: disallow blank, multi-value headers
local.mk.sample: use rack-1.1.0
bump "rack.version" env to [1,1]
set env["rack.logger"] for applications
|
|
The HeaderHash optimizations in Rack 1.1 interact badly with
Rails 2.3.5 (and possibly other frameworks/apps) which set
multi-value "Set-Cookie" headers without relying on the proper
methods provided by Rack::Utils.
While this is an issue with Rails not using properly, there
may be similar apps that make this mistake and Rack::Lint
does not guard against it.
Rack-ML-Ref: <20100105235845.GB3377@dcvr.yhbt.net>
|
|
|
|
Rails 2.3.3.1 is ancient
|
|
* ready_pipe:
launcher: no point in sync-ing $stdin
launcher: fix compatibility with other servers
clarify errors when listeners fail to bind
launcher: descriptive error message on startup failure
Avoid leaking ready pipe file descriptor to workers
exit with failure if master dies when daemonized
|
|
|
|
Inspection of the MRI source reveals that IO#sync=true only
appears to only apply for writes. Though it could eventually
make sense to disable read buffering by setting IO#sync=true,
it does not appear to happen.
Of course we never read from $stdin anyways....
|
|
Rainbows! does not yet know about ready_pipe, and will probably
not know about it until Unicorn 0.97.0
|
|
When using multiple listeners, the log messages can be
potentially misleading as to which listener fails to bind:
Before:
INFO -- : unlinking existing socket=/tmp/unicorn.sock
INFO -- : listening on addr=/tmp/unicorn.sock fd=3
unicorn/socket_helper.rb:110:in `initialize': Permission denied - bind(2) (Errno::EACCES)
After:
INFO -- : unlinking existing socket=/tmp/openxdms.sock
INFO -- : listening on addr=/tmp/openxdms.sock fd=3
FATAL -- : error adding listener addr=0.0.0.0:84
unicorn/socket_helper.rb:110:in `initialize': Permission denied - bind(2) (Errno::EACCES)
|