mirror of
https://github.com/ninenines/cowboy.git
synced 2025-07-14 04:10:24 +00:00
Small, fast, modern HTTP server for Erlang/OTP.
cowboyerlangfunctionalhigh-performancehttphttp-serverhttp2http2-serverhttpsproduction-readyrestwebweb-frameworkwebsocketwebsocket-serverwebsockets
ab44985a9e
A number of HTTP/2 CVEs were documented recently: https://www.kb.cert.org/vuls/id/605641/ This commit, along with a few changes and additions in Cowlib, fix or improve protection against all of them. For CVE-2019-9511, also known as Data Dribble, the new option stream_window_data_threshold can be used to control how little the DATA frames that Cowboy sends can get. For CVE-2019-9516, also known as 0-Length Headers Leak, Cowboy will now simply reject streams containing 0-length header names. For CVE-2019-9517, also known as Internal Data Buffering, the backpressure changes were already pretty good at preventing this issue, but a new option max_connection_buffer_size was added for even better control over how much memory we are willing to allocate. For CVE-2019-9512, also known as Ping Flood; CVE-2019-9515, also known as Settings Flood; CVE-2019-9518, also known as Empty Frame Flooding; and similar undocumented scenarios, a frame rate limiting mechanism was added. By default Cowboy will now allow 1000 frames every 10 seconds. This can be configured via max_received_frame_rate. For CVE-2019-9514, also known as Reset Flood, another rate limiting mechanism was added and can be configured via max_reset_stream_rate. By default Cowboy will do up to 10 stream resets every 10 seconds. Finally, nothing was done for CVE-2019-9513, also known as Resource Loop, because Cowboy does not currently implement the HTTP/2 priority mechanism (in parts because these issues were well known from the start). Tests were added for all cases except Internal Data Buffering, which I'm not sure how to test, and Resource Loop, which is not currently relevant. |
||
|---|---|---|
| doc/src | ||
| ebin | ||
| examples | ||
| src | ||
| test | ||
| .gitattributes | ||
| .gitignore | ||
| CONTRIBUTING.asciidoc | ||
| erlang.mk | ||
| LICENSE | ||
| Makefile | ||
| plugins.mk | ||
| README.asciidoc | ||
| rebar.config | ||
= Cowboy Cowboy is a small, fast and modern HTTP server for Erlang/OTP. == Goals Cowboy aims to provide a *complete* HTTP stack in a *small* code base. It is optimized for *low latency* and *low memory usage*, in part because it uses *binary strings*. Cowboy provides *routing* capabilities, selectively dispatching requests to handlers written in Erlang. Because it uses Ranch for managing connections, Cowboy can easily be *embedded* in any other application. Cowboy is *clean* and *well tested* Erlang code. == Online documentation * https://ninenines.eu/docs/en/cowboy/2.6/guide[User guide] * https://ninenines.eu/docs/en/cowboy/2.6/manual[Function reference] == Offline documentation * While still online, run `make docs` * User guide available in `doc/` in PDF and HTML formats * Function reference man pages available in `doc/man3/` and `doc/man7/` * Run `make install-docs` to install man pages on your system * Full documentation in Asciidoc available in `doc/src/` * Examples available in `examples/` == Getting help * Official IRC Channel: #ninenines on irc.freenode.net * https://github.com/ninenines/cowboy/issues[Issues tracker] * https://ninenines.eu/services[Commercial Support]