umgeher/cowboy
0
Fork 0
mirror of https://github.com/ninenines/cowboy.git synced 2025-07-14 12:20:24 +00:00
Code Issues Wiki Activity
2145 commits 6 branches 54 tags 12 MiB
Commit graph

9 commits

Author SHA1 Message Date
Loïc Hoguin
8cb9d242b0
Initial HTTP/3 implementation 
This includes Websocket over HTTP/3.

Since quicer, which provides the QUIC implementation,
is a NIF, Cowboy cannot depend directly on it. In order
to enable QUIC and HTTP/3, users have to set the
COWBOY_QUICER environment variable:

  export COWBOY_QUICER=1

In order to run the test suites, the same must be done
for Gun:

  export GUN_QUICER=1

HTTP/3 support is currently not available on Windows
due to compilation issues of quicer which have yet to
be looked at or resolved.

HTTP/3 support is also unavailable on the upcoming
OTP-27 due to compilation errors in quicer dependencies.
Once resolved HTTP/3 should work on OTP-27.

Because of how QUIC currently works, it's possible
that streams that get reset after sending a response
do not receive that response. The test suite was
modified to accomodate for that. A future extension
to QUIC will allow us to gracefully reset streams.

This also updates Erlang.mk.
 2024-03-26 15:53:48 +01:00
Loïc Hoguin
cf71c742d6
Add max_fragmented_header_block_size HTTP/2 option 2024-03-14 12:56:33 +01:00
Loïc Hoguin
b36f064a91
Refresh copyright lines 2024-01-25 11:22:54 +01:00
Viktor Söderqvist
42d87dd776
Add 'max_cancel_stream_rate' config for the rapid reset attack 
Co-authored-by: Björn Svensson <bjorn.a.svensson@est.tech>
 2023-12-06 12:41:58 +01:00
Loïc Hoguin
b339713461
Allow {error, enotconn} as test success in security_SUITE 
This happens from time to time on Windows and is partially
due to how the test is written.
 2020-04-07 10:18:29 +02:00
Loïc Hoguin
6ad842a742
Increase the default max_received_frame_rate 
Allow 10000 frames every 10 seconds instead of just 1000,
as the limit was too quickly reached in some deployments.
 2020-03-29 13:51:21 +02:00
Loïc Hoguin
5cdf78fd57
Fix an intermittent test issue 2019-10-07 12:18:03 +02:00
Loïc Hoguin
ab44985a9e
Fix HTTP/2 CVEs 
A number of HTTP/2 CVEs were documented recently:

  https://www.kb.cert.org/vuls/id/605641/

This commit, along with a few changes and additions in Cowlib,
fix or improve protection against all of them.

For CVE-2019-9511, also known as Data Dribble, the new option
stream_window_data_threshold can be used to control how little
the DATA frames that Cowboy sends can get.

For CVE-2019-9516, also known as 0-Length Headers Leak, Cowboy
will now simply reject streams containing 0-length header names.

For CVE-2019-9517, also known as Internal Data Buffering, the
backpressure changes were already pretty good at preventing this
issue, but a new option max_connection_buffer_size was added for
even better control over how much memory we are willing to allocate.

For CVE-2019-9512, also known as Ping Flood; CVE-2019-9515, also
known as Settings Flood; CVE-2019-9518, also known as Empty Frame
Flooding; and similar undocumented scenarios, a frame rate limiting
mechanism was added. By default Cowboy will now allow 1000 frames
every 10 seconds. This can be configured via max_received_frame_rate.

For CVE-2019-9514, also known as Reset Flood, another rate limiting
mechanism was added and can be configured via max_reset_stream_rate.
By default Cowboy will do up to 10 stream resets every 10 seconds.

Finally, nothing was done for CVE-2019-9513, also known as Resource
Loop, because Cowboy does not currently implement the HTTP/2
priority mechanism (in parts because these issues were well known
from the start).

Tests were added for all cases except Internal Data Buffering,
which I'm not sure how to test, and Resource Loop, which is not
currently relevant.
 2019-10-02 10:44:45 +02:00
Loïc Hoguin
bbc152ba83
Rename sec_SUITE to security_SUITE 2018-11-21 14:21:14 +01:00
Renamed from test/sec_SUITE.erl (Browse further)