similar to: [SECURITY] Patch For Bug Serving Arbitrary Files

Displaying 20 results from an estimated 2000 matches similar to: "[SECURITY] Patch For Bug Serving Arbitrary Files"

2007 Dec 28
6
Arbitrary system files readable in 1.0.4 - 1.1.2
I just found a vulnerability in one of my web apps that was running Mongrel 1.1.2 where I could go to URIs like /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it would serve the actual /etc/passwd file. The issue seems to be in lib/mongrel/handlers.rb in the change from 1.0.3 to 1.0.4 req_path = HttpRequest.unescape(path_info) - if @path - req_path =
2007 Jun 28
2
You All Get To Live!
Ok, my little experiment proved my point. Ruby 1.8.6 is not viable for production. Requiring it and dropping the cgi fix back patch isn''t an option. It''s not even clear whether the latest 1.8.6 has any remaining fixes. So, crisis averted. Mongrel WILL NOT require 1.8.6 and now I''m going to dig out where these security fixes are coming from and how to host this kind
2007 Aug 08
2
The (Potentially) New Maintainers
Hello Everyone, Been head down with personal stuff, but I wanted to shoot out this email saying that I''ve collected the list of volunteers and decided that I''d just hand the keys over to them and see how they do. The list of people I have so far is: Ezra Zygmuntowicz <ezmobius at gmail.com> "Kirk Haines" <wyhaines at gmail.com> "Wayne E. Seguin"
2007 Aug 10
0
[OFF-TOPIC] SCGI now maintained by Jeremy Evans
Hi, As many of you know I also wrote the SCGI connector for Ruby on Rails before I worked on Mongrel. I eventually stopped working on it since it was kind of pointless, but Jeremy Evans has stepped up and offered to maintain it. He''s now the official maintainer and will be managing the SCGI project: http://rubyforge.org/projects/scgi/ If anyone is interested in helping out then let
2007 Oct 23
0
Dammit, you''re all admins now (especially since Ezra and Kirk are mostly MIA)
This is stupid, I made Luis, Wayne, Evan, and Filipe admins. Make anyone else admins that you want and do all the changes you need. Especially since you guys are mostly running the show anyway. -- Zed A. Shaw - Hate: http://savingtheinternetwithhate.com/ - Good: http://www.zedshaw.com/ - Evil: http://yearofevil.com/
2007 Jun 28
7
You Will All Die In 1 Week (Mongrel To Require 1.8.6)
Hopefully that gets everyone''s attention. Evan Weaver has whined enough to make me do a release to change the requirements on the Mongrel gem so that it doesn''t need the cgi_multipart_eof_fix anymore. *************************** THIS ALSO MEANS THAT MONGREL WILL HAVE TO REQUIRE RUBY 1.8.6 OR GREATER! NO EXCEPTIONS! *************************** I know Debian guys like to hack
2007 Oct 19
0
X-Sendfile, static files, windows
Jeremy, I found your old message with this title. I struck the same thing, where the current drive wasn''t the same as the drive I wanted to serve (some) files from. So here''s the patch to add to lib/mongrel/handlers.rb contains class DirHandler. I added two things, first to initialize: def initialize(path, listing_allowed=true, index_html="index.html")
2007 Aug 11
3
The Team is In Place
Hello Everyone, I''d like to just officially announce that the new volunteers are in charge and given control of the project. I won''t be doing anything more than helping them get ramped up, but they''ll be in charge of doing all the stuff you folks want and are basically the owners from now on. Everyone in the new volunteer list will probably do a little announce, but
2007 Aug 01
5
[HELP] Mongrel Needs a Patch Maven
Hey folks, I''m falling behind in my Mongrel duties and seriously need to recruit an enterprising individual to take on the patch queue and help push out a new release with some minor fixes. The goal would be to just get patches that are currently languishing, pull them together, put them in the source, write some tests to try them, and then one slight design change. If this works out
2006 Jul 28
0
URL root/serving more than one app per subdomain
Hey folks, I have the following situation: I have a secure server, and I''d like to run multiple Rails apps without dealing with setting up multiple secure servers, with their fixed IPs, etc. So, I want to do https:// secure.domain.com/app1/ and https://secure.domain.com/app2/ etc. In lighttpd this is possible using a combination of relative_url_root in each app (in
2006 Nov 04
0
page caching urls with space characters broken in webrick and mongrel
Page caching of urls with spaces in them using WEBrick and Mongrel is broken in Edge Rails (and Rails 1.1.6, where I started). This is due to the dispatch flow of control in both servers converting ''+'' in requested paths into '' '' chars, whereas the page caching system writes cache files for URLs with spaces in them out as encoded ''+''
2012 Mar 27
1
How get a spec preprocesed with all macros expanded.
Hi, I need to get a spec file with all macro exanded, so i can extract info of some tags, that my be consitional based on macros, i know that some rpm utils need to make this to figure out dependencies and so on. I don't know if is posible to get a preprocesed spec file with actual Centos & rpm tools, if this is on librpm, i can make a simple tool to make this. Regards.
2007 Jun 27
10
Q on cgi_multipart_eol_fix preqequisite for Mongrel on Win2K
Hi list, I downloaded and tried to install Mongrel (latest stable version) from the -win32 gem. Platform is Win2K. It said it needed daemons so got and installed that. Then it said it needed cgi_multipart_eol_fix (I think that was the name, not at my machine now, can confirm later and repost if needed). Googled for that but couldn''t find it. (Don''t have net connectivitity for a
2007 Nov 22
7
Gentoo warning
Hi, I''ve done some benchmarking on our new servers (being built now), AMD X2 5600, gentoo-hardened. With the same CFLAGS (safe cflags: -march=k8 -O2) I''ve tested the following configs: 1, emerge ruby rubygems, then gem install mongrel (or emerge mongrel, the performance was similar) 2, download the same ruby version, untar, ./configure, make, make install, download rubygems,
2008 May 29
7
Error: Mongrel timed out this thread: too many open files
I just switched to Mongrel, and it''s been working much better than my previous lighttpd/fastcgi setup. So thanks for the awesomeness. My current problem: once or twice an hour, I get following error in production Mongrel timed out this thread: too many open files I never get it in testing or on our staging server. Any ideas what would cause that? It doesn''t *appear*
2007 Oct 12
5
deciphering objects.log
Howdy -- I''ve been tracking down mem leaks (oh, the fun...), and I think there is a clue in objects.log. There are a few mentions of this file, but usually Zed saying "look at this file and it will help you". Can anyone clue me in to what the actual columns mean? 18,Float,143952,256821,112869,,, 18,String,39543,41693,2150,24.727076,55.526376,2308.000000
2008 Jun 01
3
rbx gem
Hello. Some time ago I committed a Rubinius assembly-based HTTP parser generated from Ragel to the Rubinius git repository. Yesterday I made a Mongrel gem which installs and works on Rubinius. This basically involved commenting out anything to do with fastthread or the http11 C extension. If there''s interest in releasing a Rubinius-targeted gem, I can make changes to the Rakefile to
2008 Mar 18
9
Mongrel Crashes in Production
I have been getting this error on the production server after rails was updated to 2.0.2 and moreover this worked perfectly in the development mode. This crash occurs when no one is using the app for an hour or so. This is the error that I get in the logs. (nohup.out file). The production log doesnt show anything unusual. Please help me out guys.
2007 Dec 19
8
Segmentation fault in Mongrel when run with --debug
I am having a problem with mongrel just stopping inside a periodically_call_remote function so I ran mongrel with debug enabled Mongrel seg faults after a few minutes The mongrel filelog shows 5 files open when this happens. Same log files that are open all the time. Wed Dec 19 15:10:21 -0700 2007 FILES OPEN BEFORE REQUEST /calibration/ackAdjustDistance --- log/mongrel_debug/objects.log: 2
2006 Jan 30
4
Warning message when returning multiple items
In my function I am trying to return multiple computed items (separated by commas). The function does what I need, but I get a warning message that multi-argument returns are deprecated. Is this a warning I should heed, or is there a more elegant and warning free way of achieving the same end? Thanks --------------------------------- [[alternative HTML version deleted]]