A developer I’m working with points me to an announcement of a serious DoS vulnerability in Ruby’s CGI library that would allow Rails apps to get locked up with a trivial attack if they process MIME parts at all.

Crikey.

So I follow the paper-trail to the original source and get here: Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack

Wow. That looks serious. It can kill the server! 99% lock-up! Urgent patch!

I don’t dispute the seriousness of the effect of the vulnerability, but having looked at the patch file, I’m confused this wasn’t picked up in testing, and it took me a whole five minutes to stop laughing after thinking about people running around complaining that their Windows gem couldn’t be updated:

--- /opt/local/lib/ruby/1.8/cgi.rb      2005-10-06 19:01:22.000000000 -0600
+++ cgi.rb      2006-09-22 16:38:08.000000000 -0600
@@ -1017,7 +1017,7 @@
               else
                 stdinput.read(content_length)
               end
-          if c.nil?
+          if c.nil? || c.empty?
             raise EOFError, "bad content body"
           end
           buf.concat(c)

No, I’m not making that up. It really is just a one line change from ‘if c.nil?’ to ‘if c.nil? || c.empty?’. Reminds of something I read earlier about the Rails method ‘blank?’ which basically tests if an object is nil or empty, and nothing else. Looks like it should be in the base of Ruby itself. :-)

And before you test whether I’m patched - yes, I am.