From 9f00d864e25e35ae6cb223b66a434965b14dbdca Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sun, 5 Jun 2016 23:27:55 +0000 Subject: extras/try_gzip_static: do not show backtrace on syscall errors On ENAMETOOLONG and perhaps other system errors which we can do nothing about, we should not spew a giant backtrace which could be used as an easy DoS vector. --- extras/try_gzip_static.rb | 2 +- test/test_extras_try_gzip_static.rb | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/extras/try_gzip_static.rb b/extras/try_gzip_static.rb index 0d5d63b..31c1aa1 100644 --- a/extras/try_gzip_static.rb +++ b/extras/try_gzip_static.rb @@ -203,7 +203,7 @@ class TryGzipStatic msg = msg.dump if /[[:cntrl:]]/ =~ msg # prevent code injection logger.warn("#{env['REQUEST_METHOD']} #{env['PATH_INFO']} " \ "#{code} #{msg}") - if exc.respond_to?(:backtrace) + if exc.respond_to?(:backtrace) && !(SystemCallError === exc) exc.backtrace.each { |line| logger.warn(line) } end end diff --git a/test/test_extras_try_gzip_static.rb b/test/test_extras_try_gzip_static.rb index c6c8cef..4d20b5a 100644 --- a/test/test_extras_try_gzip_static.rb +++ b/test/test_extras_try_gzip_static.rb @@ -34,6 +34,18 @@ class TestExtrasTryGzipStatic < Testcase end end + Net::HTTP.start(host, port) do |http| + uri = "/COPYING/foo" + ('-' * 4096) + begin + res = http.request(Net::HTTP::Get.new(uri)) + end while res.code.to_i == 414 && uri.chop! + res = http.request(Net::HTTP::Get.new("/COPYING/foo")) + assert_equal 404, res.code.to_i + lines = File.readlines(err.path) + File.truncate(err.path, 0) + assert_operator lines.size, :<, 3, lines.map! { |s| s[0,64] }.inspect + end + begin # setup gpl = "#{tmpdir}/COPYING" gplgz = "#{tmpdir}/COPYING.gz" -- cgit v1.2.3-24-ge0c7