On ENAMETOOLONG and perhaps other system errors which we can do
nothing about, we should not spew a giant backtrace which could
be used as an easy DoS vector.
---
extras/try_gzip_static.rb | 2 +-
test/test_extras_try_gzip_static.rb | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/extras/try_gzip_static.rb b/extras/try_gzip_static.rb
index 0d5d63b..31c1aa1 100644
--- a/extras/try_gzip_static.rb
+++ b/extras/try_gzip_static.rb
@@ -203,7 +203,7 @@ def r(code, exc = nil, env = nil)
msg = msg.dump if /[[:cntrl:]]/ =~ msg # prevent code injection
logger.warn("#{env['REQUEST_METHOD']} #{env['PATH_INFO']} " \
"#{code} #{msg}")
- if exc.respond_to?(:backtrace)
+ if exc.respond_to?(:backtrace) && !(SystemCallError === exc)
exc.backtrace.each { |line| logger.warn(line) }
end
end
diff --git a/test/test_extras_try_gzip_static.rb
b/test/test_extras_try_gzip_static.rb
index c6c8cef..4d20b5a 100644
--- a/test/test_extras_try_gzip_static.rb
+++ b/test/test_extras_try_gzip_static.rb
@@ -34,6 +34,18 @@ def test_gzip_static
end
end
+ Net::HTTP.start(host, port) do |http|
+ uri = "/COPYING/foo" + ('-' * 4096)
+ begin
+ res = http.request(Net::HTTP::Get.new(uri))
+ end while res.code.to_i == 414 && uri.chop!
+ res = http.request(Net::HTTP::Get.new("/COPYING/foo"))
+ assert_equal 404, res.code.to_i
+ lines = File.readlines(err.path)
+ File.truncate(err.path, 0)
+ assert_operator lines.size, :<, 3, lines.map! { |s| s[0,64] }.inspect
+ end
+
begin # setup
gpl = "#{tmpdir}/COPYING"
gplgz = "#{tmpdir}/COPYING.gz"
--
unsubscribe: [email protected]
archive: https://yhbt.net/yahns-public/
