Forum: Ruby on Rails Mongrel Web Server 0.3.12.1 -- Iron Mongrel

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Zed S. (Guest)
on 2006-04-04 10:15
(Received via mailing list)
Hello All Mongrel Users,

For the unintiated, Mongrel is a web server that runs Ruby web
applications
really fast.  Read http://mongrel.rubyforge.org/ to get find out more
about
it.

This is the Iron Mongrel release.  It is the result of trying to trash
Mongrel until it can't move and then fixing anything that comes up.  The
work was done on EastMedia's and VeriSign's upcoming project in order to
make sure it can handle heavy loads and potentially malformed requests.
The
project is a security and identity project so having a web server that
is
able to block bad requests is very important.

The testing methods used were (are):

1.  Unit testing what I can.  Mongrel is a server so many tests have to
be
done "live".
2.  Thrashing Mongrel's HTTP parser internally with random or
near-random
data (called fuzzing).
3.  Using "Peach Fuzz":http://peachfuzz.sourceforge.net/ to thrash
several
live apps with randomness.
4.  Running several extensive little scripts to explore the edges of
death
for Mongrel.
5.  Heavy code audits covering as much code as possible to find any
possible
loose ends.

The end result is a lot of little fixes which make Mongrel more robust
against badly behaving clients and possibly against many potential
security
risks in the future.  In general Mongrel 0.3.12.1 behaves more
consistently
compared to past releases when given random data or maliciously
formatted
data.

The main changes are related to how IO is processed and how the HTTP
parser
rejects "bad" input.  What the parser now blocks is:

* Any header over 112k.
* Any query string over 10k.
* Any header field value over 80k.
* Any header field name over 256 bytes.
* Any request URI (the file part, not the whole thing) greater than 512
bytes.

As soon as these conditions are detected the client is disconnected
immediately and a log message is printed out listing the IP address, the
exact cause, and the data that caused it. I'll remove the data dump
later,
but I want people to shoot me valid requests that cause parser errors.

That's not all though.  I've started a "security":security.html page
where
I'll publish the results of security threats, tests, and improvements as
well as any advice for folks.

This release also features a few little features here and there:

* Initial support for a "config script".  I'll be documenting this more,
but
it basically lets you use the Mongrel::RailsConfigurator to augment your
application's config via a small script.  Just pass "-S
config/mongrel.rb"
and put any Mongrel::RailsConfigurator statements that are reasonable.
* Mongrel will report the correct REMOTE_ADDR variable, but it does a
little
trick where if there is an X-FORWARDED-FOR header then it sets
REMOTE_ADDR
to that.
* Fixes for little bugs like double log messages, but not a lot of
changes
to the overall core.

Go ahead and install the usual way:  gem install mongrel *or* gem
upgrade


Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/

P.S. The snazzy Iron Mongrel logo is courtesy court3nay from
http://caboo.se/
Stefano C. (Guest)
on 2006-04-04 15:04
(Received via mailing list)
On Apr 4, 2006, at 8:12 AM, Zed S. wrote:

> up.  The
> work was done on EastMedia's and VeriSign's upcoming project in
> order to
> make sure it can handle heavy loads and potentially malformed
> requests.  The
> project is a security and identity project so having a web server
> that is
> able to block bad requests is very important.

One of my applications is behaving oddly when doing file uploads with
this release of Mongrel...

The form is:
  <form action="/home/upload" enctype="multipart/form-data"
method="post">
  <input id="blueprint_content" name="blueprint[content]" size="30"
type="file" />
  <input id="blueprint_name" name="blueprint[name]" size="30"
type="text" value="" />
  <select id="blueprint_group" name="blueprint[group]">...</select>
  <input id="submit_button" name="commit" type="submit" value="Load" />
  </form>

dumping the params hash while running the application with Webrick, I
get:

--- !map:HashWithIndifferentAccess
commit: Load
blueprint: !map:HashWithIndifferentAccess
   name: Test
   content: !ruby/object:StringIO {}

   group: "1"
action: upload
controller: home

while with Mongrel I get this:

--- !map:HashWithIndifferentAccess
" filename": |-
   "untitled.txt"
   Content-Type: text/plain

   test
   -----------------------------6918292731098126453736833253
   Content-Disposition: form-data
"-----------------------------6918292731098126453736833253\r\n\
   Content-Disposition: form-data": ""
" name": "\"blueprint[content]\""
action: upload
controller: home

This happens on my dev machine, running MacOS X; the same application
is currently
running fine under Mongrel 0.3.11 on a FreeBSD server.

--
Stefano C.
removed_email_address@domain.invalid
Zed S. (Guest)
on 2006-04-04 17:44
(Received via mailing list)
On 4/4/06 7:02 AM, "Stefano C." <removed_email_address@domain.invalid> wrote:

>
> One of my applications is behaving oddly when doing file uploads with
> this release of Mongrel...
>
<snip>

Can you run your application with the -B option?  Run through, and then
take
the log/mongrel_debug/rails.log file and send it to me (off list) or
paste
it to a nopaste site so I can take a look.

Also look at your log/mongrel.log and log/development.log files for
other
possible clues.

Finally, can you tell me more specifically what "behaving oddly" is?

> This happens on my dev machine, running MacOS X; the same application
> is currently
> running fine under Mongrel 0.3.11 on a FreeBSD server.

Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
Jonathan W. (Guest)
on 2006-04-04 19:48
(Received via mailing list)
>
> One of my applications is behaving oddly when doing file uploads with
> this release of Mongrel...

I also have problems with Mongrel 0.13.1 and file_column / file uploads.
Everything works fine with older versions of Mongrel.

I'll have more details later for you Zed, I'm not in the office anymore.


Jonathan
This topic is locked and can not be replied to.