HTTP::Server Fiber crash with "Header content contains invalid character" #5611
Comments
|
0.24.1, this is by running |
|
We probably need some code to reproduce, otherwise there's not much we can do. |
|
So, does it actually crash the server or just break that specific request? |
|
The Fiber that is spawned to handle this request "breaks" with unhandled exception, this would have crash the whole server if it wouldn't have been saved by the Fiber, so Fiber dies, server is saved, but this is hardly a good solution, more of a lucky save. I'm working on the exact payload to send to the server to cause this |
|
@asterite Let me know if you need more info to tackle this |
|
No, I don't have time and probably won't have the time to investigate this. Someone else will have to take a look. |
|
Reduced code to reproduce: require "http/server"
processor = HTTP::Server::RequestProcessor.new(HTTP::StaticFileHandler.new("."))
request = HTTP::Request.new("GET", File.basename(__FILE__) + "%0A")
io = IO::Memory.new
request.to_io(io)
io.rewind
processor.process(io, IO::Memory.new)
This error is caused by |
|
A fix for the immediate issue is in #5628 but the error handling regarding fibers probably needs further investigation. |
|
@straight-shoota what do you think can be improved regarding unhandled exceptions in fibers? |
|
I don't know. |
I have found that using some "invalid character", it's easy to crash a fiber at the server side using a simple get request.
There should be some defense against this kind of abuse especially when HTTP::Server is used as the basis for all major web frameworks and crystal play.
The text was updated successfully, but these errors were encountered: