ahungry
commented
9 years ago A very specific fix for this one condition via iptables:
iptables -I INPUT -p tcp --dport 5000 -m string --algo bm --from 0 --to 5000 --string ", CLACK.SESSION" -j DROPClosed ahungry closed 9 years ago
ahungry
commented
9 years ago A very specific fix for this one condition via iptables:
iptables -I INPUT -p tcp --dport 5000 -m string --algo bm --from 0 --to 5000 --string ", CLACK.SESSION" -j DROP
fukamachi
commented
9 years ago I figured out it is a problem in clack.middleware.session. The error can reproduce with this example.
(ql:quickload :clack-v1-compat)
(clack:clackup
(lack:builder
clack.middleware.session:<clack-middleware-session>
(lambda (env) '(200 () ("Hi")))))It seems Lack doesn't have the same problem, so this would cause only with clack-v1-compat.
fukamachi
commented
9 years ago Thank you for reporting! I believe this has been fixed in the latest Clack.
For some reason, Googlebot crashed my clack instance by passing in the CLACK.SESSION cookie in a malformed manner, such as:
For the cookie: value in the HTTP headers.
This can be replicated (start a fresh clack or caveman instance) and make a request to it such as:
As this is breaking a production site, I'll post up an IPTABLES rule to block these requests that cause unhandled memory faults/uncaught errors until I have a chance to make some clack changes/push requests.