Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Security flaw #37

si14 opened this Issue · 8 comments

5 participants


When user opens page with content like

body() ->
    wf:comet(fun() -> counter(1) end),
    #panel { id=p_container, body=[
        #label { text="Messages so far:" },
        #panel { id=p_messages }

counter/1 is spawned, but never killed if user didn't load .js files for some reason.


Yes, I've seen this as well. In the end of action_comet:accumulator_loop/4 is code that should handle this but is doesn't trigger if the comet process pushes anything to the page (that send a {add_actions, NewActions} to the accumulator.


In fact I can see this behaviour even with enabled JS.

It is a serious problem for my usage of Nitrogen.


Ok, I've been wrong, processes are killed after timeout. The question is — why not to kill them after http client disconnect?


I have a accumulator process (from action_comet.erl) that aren't killed.
Add to your project and call it from i erlang shell: httpc:request("http://localhost:8000/demos_comet3"). That should reproduce the error.


I've spent 6 hours today hunting this bug. No luck. What happens is that on initial JavaScript execution, eventContext is POSTed back to the server, and event(start_async) kicks off in lib/nitrogen_core/src/actions/action_comet.erl

What happens is that when the page gets rendered with JavaScript disabled, the action_comet:event/1 never gets called, and action_comet:flush/0 just keeps on pushing messages into accumulator_loop. I hacked accumulator_loop/4 to detect when there was no javascript executed, because TimerRef is undefined when the process receives {add_actions, NewActions} but erlang:exit({accumulator_loop, undefied}); at that point does nothing.

The bug might not be in the action_comet.erl but in the way the whole Comet process gets handled. I wish somebody could fix this bug.


Here's my fix for this: For a detailed explaination, see the "Note" section I added at the top of the "INTERFACE" section


Also, I recommend cherry-picking this for now, rather than pull from my repo, as I have a lot of things in here that are a little "alpha", if you will that need to be finished up before merging into mainline.


Also, please let me know if you catch something I may have overlooked. Note: my fix here will catch and kill the process after 30 seconds if the javascript still isn't loaded for that Pid.

@choptastic choptastic closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.