R16 #1

merged 48 commits into from Mar 27, 2013

No description provided.


What if we just make the return value of get_header_value/1 to lower case? If it is a string().


shouldn't it be the same for keep-alive then?

well the keep-alive value is also a connection header. But OK...

pmundkur and others added some commits Oct 8, 2012
@pmundkur pmundkur The range-header handling does not implement the following:

  If the last-byte-pos value is absent, or if
  the value is greater than or equal to the current
  length of the entity-body, last-byte-pos is taken
  to be equal to one less than the current length of
  the entity-body in bytes.

Specifically, the 'greater than equal to' case.
@kmwang kmwang add ability to handle combined content-length header. 888ceb5
@etrepum etrepum Merge pull request #85 from pmundkur/fix-ranges
Fix a case in handling range headers
@kmwang kmwang amended get_combined_value. 53ee10b
@kmwang kmwang support parsing quoted string. ede9003
@doubleyou doubleyou Avoid using regular expressions 2def5f1
@doubleyou doubleyou Removed export_all 2ba8d24
@doubleyou doubleyou Merge pull request #88 from doubleyou/handling-combined-header
Handling combined header
@djnym djnym Fix for mochiweb_acceptor crash under R15B02
The source is still unclear but R15B02 now will return and emsgsize error
if the received packet is larger than the recvbuf.  This can be tested with
the following (sorry I don't know how to integrate this sort of test into
mochiweb's tests).



start() ->
  application:start (inets),
  mochiweb_http:start([{port, 5678}, {loop, fun(Req) -> handle_http(Req) end}]).

handle_http(Req) ->
  Req:respond({ 200,
                [ {"Content-Type", "text/html"} ],
                [ "<html><body>Hello</body></html>" ]

test (Len) ->
  httpc:request (get, {"",
                 [{"X-Random", [$a || _ <- lists:seq(1,Len)]}]}, [], []).

Once compiled you can run this with

erl -pa ebin -boot start_sasl

Then run with


The result is different with R14B04 and R15B02.  With R15B02 there was
a crash in the mochiweb_acceptor.  This patch deals with that crash.
@melkote melkote Do not allow backslashes in path (security).
On Windows, it is possible to access arbitrary files by crafting
a GET with unescaped \, like GET /..\..\..\..\..\windows\win.ini

@melkote melkote Issue 92: Do not allow backslashes in path (security).
On Windows, it is possible to access arbitrary files by crafting
a GET with unescaped \, like GET /..\..\..\..\..\windows\win.ini

Please also see ouchbase.com/issues/browse/MB-7390
@melkote melkote Merge branch 'master' of git://github.com/melkote/mochiweb 3259a93
@etrepum etrepum Merge pull request #93 from melkote/master
Pull request for issue 92: Do not allow backslashes in path (windows security).
@etrepum etrepum Merge pull request #91 from djnym/R15B02_mochiweb_acceptor_crash
Fix for mochiweb_acceptor crash under R15B02
@etrepum etrepum prep changelog for 2.4.0 5ed0946
@lhft lhft Added session module for use of secure cookies 1be66c0
@lhft lhft Added some tests. still getting errors though 92464d0
@lhft lhft Trying new encoding ways 1f1867b
@lhft lhft Mochiweb session it's functional now 7aa6d1e
@lhft lhft Working on Dymitri d21e5b2
@lhft lhft Still workin on Dymitri's suggestions ba86dff
@lhft lhft There is only one place to put user or any kind of data now. I don't …
…really understan the security implications of this. There is no term_to_binary in the code now.
@vinoski vinoski use tuple modules instead of parameterized modules
Erlang R16, coming soon, will do away with parameterized modules (see Issue
4 under http://www.erlang.org/news/35 for details). Change Mochiweb to use
tuple modules instead, since they will continue to be supported in R16 and
beyond. These changes are backward compatible, so current Mochiweb
applications should require only recompilation to continue working.
@etrepum etrepum Merge pull request #95 from vinoski/drop-param-mods
use tuple modules instead of parameterized modules
@etrepum etrepum update CHANGES and bump vsn to 2.4.0 b02ea50
@etrepum etrepum #96 - mochifmt_records regression 22b770e
@lhft lhft Working on improvements suggested by doubleyou df5a881
@etrepum etrepum fix mochiweb_request regression #97 5a1b589

I have been trying to run mochiweb template app for the last couple hours and I could not make it run. Than It magically started to work. So I wasn't doing anything wrong after all.

Sorry about that, some regressions were introduced a few days ago in the name of R16 compatibility. Most or all of the kinks should be worked out by now, please report any issues if you run into anything else.


Dialyzer tells me that some of these specs are invalid. The following diff shows specs that shut off dialyzer warnings:

--- a/src/mochiweb_session.erl
+++ b/src/mochiweb_session.erl
@@ -99,13 +99,13 @@ ensure_binary(B) when is_binary(B) ->
 ensure_binary(L) when is_list(L) ->
--spec encrypt_data(iolist(), iolist()) -> binary().
+-spec encrypt_data(binary(), binary()) -> binary().
 encrypt_data(Data, Key) ->
     IV = crypto:rand_bytes(16),
     Crypt = crypto:aes_cfb_128_encrypt(Key, IV, Data),
--spec decrypt_data(binary(), iolist()) -> binary().
+-spec decrypt_data(binary(), binary()) -> binary().
 decrypt_data(<>, Key) ->
     crypto:aes_cfb_128_decrypt(Key, IV, Crypt).
@@ -113,8 +113,8 @@ decrypt_data(<>, Key) ->
 gen_key(ExpirationTime, ServerKey)->
     crypto:md5_mac(ServerKey, [ExpirationTime]).
--spec gen_hmac(iolist(), iolist(), iolist(), iolist()) -> binary().
-gen_hmac(ExpirationTime, Data, SessionKey, Key)->
+-spec gen_hmac(iolist(), binary(), iolist(), binary()) -> binary().
+gen_hmac(ExpirationTime, Data, SessionKey, Key) ->
     crypto:sha_mac(Key, [ExpirationTime, Data, SessionKey]).

Hope this helps.


@marutha marutha merged commit 7f75cfb into marutha:master Mar 27, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment