Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crash on malformed (HTTP/2?) 301 #334

Open
doriantaylor opened this issue Jul 23, 2019 · 2 comments
Open

crash on malformed (HTTP/2?) 301 #334

doriantaylor opened this issue Jul 23, 2019 · 2 comments

Comments

@doriantaylor
Copy link

Getting a crash scenario from a 301 without a Location header. What appears to happen is that HttpConnection#redirect gets called with nil as a location which creates an empty hostname. Stack trace looks like this:

        7: from /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run'
        6: from /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run_machine'
        5: from /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:1482:in `event_callback'
        4: from /home/dorian/clients/people/dorian-taylor/rb-em-http-request/lib/em-http/http_connection.rb:33:in `unbind'
        3: from /home/dorian/clients/people/dorian-taylor/rb-em-http-request/lib/em-http/http_connection.rb:231:in `unbind'
        2: from /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/em/connection.rb:686:in `reconnect'
        1: from /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:795:in `reconnect'
/var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:795:in `connect_server': no implicit conversion of nil into String (TypeError)

No checking for Location header in the client
No subsequent checking in the connection

The result is that an instance like this is created: #<Addressable::URI:0x2aaf7488f7a4 URI:/>, which makes @host be nil and thus crash with the type error cited above.

This should be easy enough to patch, the only question is what precisely—policywise—to patch it with.
@igrigorik
Copy link
Owner

Do you have an example test case to reproduce this behavior? I'm still a bit unclear on how this path is triggered.

@doriantaylor
Copy link
Author

I wrote a quick CGI script to replicate it. It's up here: https://makethingsmakesense.com/bogus-redirect.cgi . Try hitting it and you'll see the crash.

This will fix it but I'm not sure if it's the most sensible solution:

            # issue #334: you can have a response code which is in the
            # "redirect" range *without* a Location header; indeed
            # this may not be aggressive enough (ie perhaps we should
            # also check if the header is well-formed before
            # committing more resources)
            if redirect? && @response_header.location
              @req.followed += 1

              @cookies.clear
              @cookies = @cookiejar.get(@response_header.location).map(&:to_s) if @req.pass_cookies

              @conn.redirect(self, @response_header.location)
            else
              succeed(self)
            end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@igrigorik @doriantaylor