similar to: [SECURITY] Patch For Bug Serving Arbitrary Files

I just found a vulnerability in one of my web apps that was running Mongrel 1.1.2 where I could go to URIs like /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it would serve the actual /etc/passwd file. The issue seems to be in lib/mongrel/handlers.rb in the change from 1.0.3 to 1.0.4 req_path = HttpRequest.unescape(path_info) - if @path - req_path =

Ok, my little experiment proved my point. Ruby 1.8.6 is not viable for production. Requiring it and dropping the cgi fix back patch isn''t an option. It''s not even clear whether the latest 1.8.6 has any remaining fixes. So, crisis averted. Mongrel WILL NOT require 1.8.6 and now I''m going to dig out where these security fixes are coming from and how to host this kind

Hello Everyone, Been head down with personal stuff, but I wanted to shoot out this email saying that I''ve collected the list of volunteers and decided that I''d just hand the keys over to them and see how they do. The list of people I have so far is: Ezra Zygmuntowicz <ezmobius at gmail.com> "Kirk Haines" <wyhaines at gmail.com> "Wayne E. Seguin"

Hi, As many of you know I also wrote the SCGI connector for Ruby on Rails before I worked on Mongrel. I eventually stopped working on it since it was kind of pointless, but Jeremy Evans has stepped up and offered to maintain it. He''s now the official maintainer and will be managing the SCGI project: http://rubyforge.org/projects/scgi/ If anyone is interested in helping out then let

This is stupid, I made Luis, Wayne, Evan, and Filipe admins. Make anyone else admins that you want and do all the changes you need. Especially since you guys are mostly running the show anyway. -- Zed A. Shaw - Hate: http://savingtheinternetwithhate.com/ - Good: http://www.zedshaw.com/ - Evil: http://yearofevil.com/

Hopefully that gets everyone''s attention. Evan Weaver has whined enough to make me do a release to change the requirements on the Mongrel gem so that it doesn''t need the cgi_multipart_eof_fix anymore. *************************** THIS ALSO MEANS THAT MONGREL WILL HAVE TO REQUIRE RUBY 1.8.6 OR GREATER! NO EXCEPTIONS! *************************** I know Debian guys like to hack

Jeremy, I found your old message with this title. I struck the same thing, where the current drive wasn''t the same as the drive I wanted to serve (some) files from. So here''s the patch to add to lib/mongrel/handlers.rb contains class DirHandler. I added two things, first to initialize: def initialize(path, listing_allowed=true, index_html="index.html")

Hello Everyone, I''d like to just officially announce that the new volunteers are in charge and given control of the project. I won''t be doing anything more than helping them get ramped up, but they''ll be in charge of doing all the stuff you folks want and are basically the owners from now on. Everyone in the new volunteer list will probably do a little announce, but

Hey folks, I''m falling behind in my Mongrel duties and seriously need to recruit an enterprising individual to take on the patch queue and help push out a new release with some minor fixes. The goal would be to just get patches that are currently languishing, pull them together, put them in the source, write some tests to try them, and then one slight design change. If this works out

Hey folks, I have the following situation: I have a secure server, and I''d like to run multiple Rails apps without dealing with setting up multiple secure servers, with their fixed IPs, etc. So, I want to do https:// secure.domain.com/app1/ and https://secure.domain.com/app2/ etc. In lighttpd this is possible using a combination of relative_url_root in each app (in

Page caching of urls with spaces in them using WEBrick and Mongrel is broken in Edge Rails (and Rails 1.1.6, where I started). This is due to the dispatch flow of control in both servers converting ''+'' in requested paths into '' '' chars, whereas the page caching system writes cache files for URLs with spaces in them out as encoded ''+''

Hi, I need to get a spec file with all macro exanded, so i can extract info of some tags, that my be consitional based on macros, i know that some rpm utils need to make this to figure out dependencies and so on. I don't know if is posible to get a preprocesed spec file with actual Centos & rpm tools, if this is on librpm, i can make a simple tool to make this. Regards.

Hi list, I downloaded and tried to install Mongrel (latest stable version) from the -win32 gem. Platform is Win2K. It said it needed daemons so got and installed that. Then it said it needed cgi_multipart_eol_fix (I think that was the name, not at my machine now, can confirm later and repost if needed). Googled for that but couldn''t find it. (Don''t have net connectivitity for a

Hi, I''ve done some benchmarking on our new servers (being built now), AMD X2 5600, gentoo-hardened. With the same CFLAGS (safe cflags: -march=k8 -O2) I''ve tested the following configs: 1, emerge ruby rubygems, then gem install mongrel (or emerge mongrel, the performance was similar) 2, download the same ruby version, untar, ./configure, make, make install, download rubygems,

I just switched to Mongrel, and it''s been working much better than my previous lighttpd/fastcgi setup. So thanks for the awesomeness. My current problem: once or twice an hour, I get following error in production Mongrel timed out this thread: too many open files I never get it in testing or on our staging server. Any ideas what would cause that? It doesn''t *appear*

Howdy -- I''ve been tracking down mem leaks (oh, the fun...), and I think there is a clue in objects.log. There are a few mentions of this file, but usually Zed saying "look at this file and it will help you". Can anyone clue me in to what the actual columns mean? 18,Float,143952,256821,112869,,, 18,String,39543,41693,2150,24.727076,55.526376,2308.000000

Hello. Some time ago I committed a Rubinius assembly-based HTTP parser generated from Ragel to the Rubinius git repository. Yesterday I made a Mongrel gem which installs and works on Rubinius. This basically involved commenting out anything to do with fastthread or the http11 C extension. If there''s interest in releasing a Rubinius-targeted gem, I can make changes to the Rakefile to

I have been getting this error on the production server after rails was updated to 2.0.2 and moreover this worked perfectly in the development mode. This crash occurs when no one is using the app for an hour or so. This is the error that I get in the logs. (nohup.out file). The production log doesnt show anything unusual. Please help me out guys.

I am having a problem with mongrel just stopping inside a periodically_call_remote function so I ran mongrel with debug enabled Mongrel seg faults after a few minutes The mongrel filelog shows 5 files open when this happens. Same log files that are open all the time. Wed Dec 19 15:10:21 -0700 2007 FILES OPEN BEFORE REQUEST /calibration/ackAdjustDistance --- log/mongrel_debug/objects.log: 2

In my function I am trying to return multiple computed items (separated by commas). The function does what I need, but I get a warning message that multi-argument returns are deprecated. Is this a warning I should heed, or is there a more elegant and warning free way of achieving the same end? Thanks --------------------------------- [[alternative HTML version deleted]]