couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject [18/45] mochiweb commit: updated refs/heads/master to cb521b3
Date Tue, 25 Aug 2015 17:38:36 GMT
fixed an DoS vulnerability in Mochiweb/SSL


Project: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/commit/7cf56e3b
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/tree/7cf56e3b
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/diff/7cf56e3b

Branch: refs/heads/master
Commit: 7cf56e3babb89e9bf486b79aa40d11b042eda591
Parents: ce37cb2
Author: Atilla Erdodi <atilla.erdodi@gmail.com>
Authored: Tue Jan 25 02:27:12 2011 +0100
Committer: Marc Worrell <marc@worrell.nl>
Committed: Wed Oct 15 12:45:57 2014 +0200

----------------------------------------------------------------------
 src/mochiweb_socket.erl | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/blob/7cf56e3b/src/mochiweb_socket.erl
----------------------------------------------------------------------
diff --git a/src/mochiweb_socket.erl b/src/mochiweb_socket.erl
index 76b018c..bf503cc 100644
--- a/src/mochiweb_socket.erl
+++ b/src/mochiweb_socket.erl
@@ -8,6 +8,9 @@
          setopts/2, type/1]).
 
 -define(ACCEPT_TIMEOUT, 2000).
+-define(SSL_TIMEOUT, 10000).
+-define(SSL_HANDSHAKE_TIMEOUT, 20000).
+
 
 listen(Ssl, Port, Opts, SslOpts) ->
     case Ssl of
@@ -25,9 +28,9 @@ listen(Ssl, Port, Opts, SslOpts) ->
 accept({ssl, ListenSocket}) ->
     % There's a bug in ssl:transport_accept/2 at the moment, which is the
     % reason for the try...catch block. Should be fixed in OTP R14.
-    try ssl:transport_accept(ListenSocket) of
+    try ssl:transport_accept(ListenSocket, ?SSL_TIMEOUT) of
         {ok, Socket} ->
-            case ssl:ssl_accept(Socket) of
+            case ssl:ssl_accept(Socket, ?SSL_HANDSHAKE_TIMEOUT) of
                 ok ->
                     {ok, {ssl, Socket}};
                 {error, _} = Err ->


Mime
View raw message