extras/try_gzip_static: do not show backtrace on syscall errors

On ENAMETOOLONG and perhaps other system errors which we can do
nothing about, we should not spew a giant backtrace which could
be used as an easy DoS vector.

2 files changed, 13 insertions, 1 deletions

diff --git a/extras/try_gzip_static.rb b/extras/try_gzip_static.rb
index 0d5d63b..31c1aa1 100644
--- a/extras/try_gzip_static.rb
+++ b/extras/try_gzip_static.rb
@@ -203,7 +203,7 @@ class TryGzipStatic
       msg = msg.dump if /[[:cntrl:]]/ =~ msg # prevent code injection
       logger.warn("#{env['REQUEST_METHOD']} #{env['PATH_INFO']} " \
                   "#{code} #{msg}")
-      if exc.respond_to?(:backtrace)
+      if exc.respond_to?(:backtrace) && !(SystemCallError === exc)
         exc.backtrace.each { |line| logger.warn(line) }
       end
     end
diff --git a/test/test_extras_try_gzip_static.rb b/test/test_extras_try_gzip_static.rb
index c6c8cef..4d20b5a 100644
--- a/test/test_extras_try_gzip_static.rb
+++ b/test/test_extras_try_gzip_static.rb
@@ -34,6 +34,18 @@ class TestExtrasTryGzipStatic < Testcase
       end
     end
 
+    Net::HTTP.start(host, port) do |http|
+      uri = "/COPYING/foo" + ('-' * 4096)
+      begin
+        res = http.request(Net::HTTP::Get.new(uri))
+      end while res.code.to_i == 414 && uri.chop!
+      res = http.request(Net::HTTP::Get.new("/COPYING/foo"))
+      assert_equal 404, res.code.to_i
+      lines = File.readlines(err.path)
+      File.truncate(err.path, 0)
+      assert_operator lines.size, :<, 3, lines.map! { |s| s[0,64] }.inspect
+    end
+
     begin # setup
       gpl = "#{tmpdir}/COPYING"
       gplgz = "#{tmpdir}/COPYING.gz"