From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Status: No, score=-3.2 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_LOW,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from mail-pa0-f62.google.com (mail-pa0-f62.google.com [209.85.220.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id B6CC8203C1 for ; Sat, 5 Nov 2016 00:22:18 +0000 (UTC) Received: by mail-pa0-f62.google.com with SMTP id yw6sf59699559pac.0 for ; Fri, 04 Nov 2016 17:22:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to:user-agent :x-original-sender:x-original-authentication-results:reply-to :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=NBL4zVpWCgQ74a2XHDwufmIw/sZOGjdHkwyha8nM7f0=; b=lhb6Vd8YmbzuUirkdUc3ZZ3DX6xefbGEQKDoVj8sf4K5B5W/mUihA8J2yhdTkg5cve D+hl7WenkfdgkVXWX2ODs01MP7YKXNPsw7cWP93AoVyzyCrV8IHhK4XsHabjbPzfpIxm 4MjW6WlR1MsQsZOPDC2iebF71pBPkPXU+7OkFWichIs+uTVUT2fcM171zubJhTq6AlJ6 ApJm4LnnSkoWy8itZyv+LEHSdbhE5MZMhzxjomHXjkS3DLI0b6sVzl5o3YkVWJFOzBsD e7LPf2RxjafAP+41yFU8xXSNmMVcZvAk0qlhjzxYjHWOPpOj5O94e2M2a97Zdeh5IKih adVA== X-Gm-Message-State: ABUngvfzGQf24NLtRgTJ6vmPu3SLHUMvxZ7nJIllUkQ49lThryYuz4AxS1JT8ivCeHreQg== X-Received: by 10.36.65.30 with SMTP id x30mr63845ita.9.1478305338390; Fri, 04 Nov 2016 17:22:18 -0700 (PDT) X-BeenThere: rack-devel@googlegroups.com Received: by 10.107.137.170 with SMTP id t42ls1231843ioi.43.gmail; Fri, 04 Nov 2016 17:22:17 -0700 (PDT) X-Received: by 10.36.238.141 with SMTP id b135mr905524iti.4.1478305337696; Fri, 04 Nov 2016 17:22:17 -0700 (PDT) Received: from mail-pf0-x22c.google.com (mail-pf0-x22c.google.com. [2607:f8b0:400e:c00::22c]) by gmr-mx.google.com with ESMTPS id ua1si5248446pac.0.2016.11.04.17.22.17 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Nov 2016 17:22:17 -0700 (PDT) Received-SPF: neutral (google.com: 2607:f8b0:400e:c00::22c is neither permitted nor denied by best guess record for domain of aaron@tenderlovemaking.com) client-ip=2607:f8b0:400e:c00::22c; Received: by mail-pf0-x22c.google.com with SMTP id n85so59685249pfi.1 for ; Fri, 04 Nov 2016 17:22:17 -0700 (PDT) X-Received: by 10.99.117.71 with SMTP id f7mr25610460pgn.61.1478305337193; Fri, 04 Nov 2016 17:22:17 -0700 (PDT) Received: from TC.local (c-24-56-255-210.customer.broadstripe.net. [24.56.255.210]) by smtp.gmail.com with ESMTPSA id t7sm22905347pfa.22.2016.11.04.17.22.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Nov 2016 17:22:16 -0700 (PDT) Sender: Aaron Patterson Date: Fri, 4 Nov 2016 17:22:13 -0700 From: Aaron Patterson To: Eric Wong Cc: rack-devel@googlegroups.com Subject: Re: [PATCH] webrick: detect partial hijack without hash headers Message-ID: <20161105002213.GA99772@TC.local> References: <20160511050451.GA23544@dcvr.yhbt.net> <20160512022814.GA8332@dcvr.yhbt.net> <20160512023154.GB8332@dcvr.yhbt.net> <20161102001153.GA10317@starla> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <20161102001153.GA10317@starla> User-Agent: Mutt/1.7.0 (2016-08-17) X-Original-Sender: aaron@tenderlovemaking.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@tenderlovemaking-com.20150623.gappssmtp.com; spf=neutral (google.com: 2607:f8b0:400e:c00::22c is neither permitted nor denied by best guess record for domain of aaron@tenderlovemaking.com) smtp.mailfrom=aaron@tenderlovemaking.com Reply-To: rack-devel@googlegroups.com Precedence: list Mailing-list: list rack-devel@googlegroups.com; contact rack-devel+owners@googlegroups.com List-ID: X-Google-Group-Id: 486215384060 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline On Wed, Nov 02, 2016 at 12:11:53AM +0000, Eric Wong wrote: > Eric Wong wrote: > > Response headers need not be a hash according to SPEC, > > so grab the io_lambda the first time we iterate through > > the headers and avoid an extra hash lookup. > > --- > > This is related to (but applies independently of) my lint > > clarification for case-sensitivity. > > > > The following changes since commit 9073125f71afd615091f575d74ec468a0b1b79bf: > > > > bumping version (2016-05-06 15:51:18 -0500) > > > > are available in the git repository at: > > > > git://80x24.org/rack.git webrick-header-each > > > > for you to fetch changes up to 2c95a6e5bc18ac860ec0f7f7614ffb4aa6ad817d: > > > > webrick: detect partial hijack without hash headers (2016-05-12 02:23:48 +0000) > > Ping? I just got bitten by this. Sorry about that, I must have missed this. I've applied the patch and it should be in the next release. Thank you! -- Aaron Patterson http://tenderlovemaking.com/ -- --- You received this message because you are subscribed to the Google Groups "Rack Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to rack-devel+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/d/optout. --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYHSY1AAoJEJUxcLy0/6/GzfsIAIp/QxR41dEgcd1KBtvQyyeg GXviOUI64sqXRwJeRdnAv2NaItqI5TH2qxtE8NZf1fHbtmUhATDte1tiLFEMNrSS jY45GMlCUtU2A5iqAtPgdJBl1irlmqAZijtthyYOgscuE+DH0x4IkXdm53I7Kld5 c4drXNHdQRe7PajHWMVHdM4QxJ7Wymk8nG/++GNCjx25WZqbYxsa1XInHpuTHxVS YMMQaONEUYeuTNV/nW+jxm6r3R7F86XGLd+YHYy6JM58+IcCWb2hdLuPmRQAesko ZsO7v61DuW5wx5A31MYLco0CeKSusIx3hIMXGhL7gh7MFKRxqFXz3++dZARCGW4= =0uLe -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA--