Changeset 766

Show
Ignore:
Timestamp:
03/09/08 03:58:16 (2 years ago)
Author:
bradfitz
Message:

SECURITY: patch from Jeremey James <jbj@…> to not crash
on zero byte chunked upload when buffered uploads are enabled.

Location:
trunk
Files:
3 modified

Legend:

Unmodified
Added
Removed

  • trunk/CHANGES

    r765 r766  
     1    -- SECURITY: patch from Jeremey James <jbj@forbidden.co.uk> to not crash 
     2       on zero byte chunked upload when buffered uploads are enabled. 
     3 
    14    -- on successful write, update Perlbal::Socket's alive_time, so slowly 
    25       reproxied writes don't timeout the connection and kill it.  Patch 
     
    1215       to bring in more config; can be nested. 
    1316 
    14     -- SECURITY - Previously a single upward directory traversal was possible 
     17    -- SECURITY: Previously a single upward directory traversal was possible 
    1518       when concat get was enabled. This behavior has been fixed in code to 
    1619       match with standard file serving. 

  • trunk/lib/Perlbal/ClientProxy.pm

    r763 r766  
    10211021    # reset our position so we start reading from the right spot 
    10221022    $self->{buoutpos} = 0; 
    1023     sysseek($self->{bufh}, 0, 0); 
     1023    sysseek($self->{bufh}, 0, 0) if ($self->{bufh}); # But only if it exists at all 
    10241024 
    10251025    # notify that we want the backend so we get the ball rolling 
     
    10351035    my $clen = $self->{request_body_length}; 
    10361036 
    1037     my $sent = Perlbal::Socket::sendfile($be->{fd}, fileno($self->{bufh}), $clen - $self->{buoutpos}); 
    1038     if ($sent < 0) { 
    1039         return $self->close("epipe") if $! == EPIPE; 
    1040         return $self->close("connreset") if $! == ECONNRESET; 
    1041         print STDERR "Error w/ sendfile: $!\n"; 
    1042         return $self->close('sendfile_error'); 
    1043     } 
    1044     $self->{buoutpos} += $sent; 
     1037    if ($self->{buoutpos} < $clen) { 
     1038        my $sent = Perlbal::Socket::sendfile($be->{fd}, fileno($self->{bufh}), $clen - $self->{buoutpos}); 
     1039        if ($sent < 0) { 
     1040            return $self->close("epipe") if $! == EPIPE; 
     1041            return $self->close("connreset") if $! == ECONNRESET; 
     1042            print STDERR "Error w/ sendfile: $!\n"; 
     1043            return $self->close('sendfile_error'); 
     1044        } 
     1045        $self->{buoutpos} += $sent; 
     1046    } 
    10451047 
    10461048    # if we're done, purge the file and move on 
     
    11551157sub purge_buffered_upload { 
    11561158    my Perlbal::ClientProxy $self = shift; 
     1159 
     1160    # Main reason for failure below is a 0-length chunked upload, where the file is never created. 
     1161    return unless $self->{bufh}; 
    11571162 
    11581163    # FIXME: it's reported that sometimes the two now-in-eval blocks 

  • trunk/t/52-chunked-upload.t

    r617 r766  
    184184} 
    185185 
     186# Try a 0 length chunked request, as it used to crash server 
     187{ 
     188    my $hdr = "POST /status HTTP/1.0\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\n"; 
     189    my $sock = IO::Socket::INET->new( PeerAddr => "127.0.0.1:$port" ) 
     190        or return undef; 
     191    my $rv = syswrite($sock, $hdr); 
     192    die unless $rv == length($hdr); 
     193 
     194    # Give it time to crash 
     195    select undef, undef, undef, 1.0; 
     196 
     197    my $sock2 = IO::Socket::INET->new( PeerAddr => "127.0.0.1:$port" ); 
     198    ok ($sock2, 'Server still alive'); 
     199} 
     200 
    1862011;