-
Notifications
You must be signed in to change notification settings - Fork 548
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix bug where Date header was incorrectly formatted as week-based year #93
Conversation
If your app is currently affected by this bug, you can work around it by adding the following line in your ApplicationController: before_filter { response.date = Time.now.utc } This will ensure that the date header is set before it gets to passenger, so passenger's buggy date will not insert the buggy date. |
holy shit, this causes terrible bugs. please pull! |
@zilkey you are a god |
PULL IT! It took me so long to find this stupid bug! |
Unfortunately, pulling won't solve our immediate problems. I think the best we can do is try and get the word out as quickly as possible. https://news.ycombinator.com/item?id=6986291 |
Phew! I'm glad other people are seeing this. @mistidoi, @peashutop and I thought we were crazy this morning. |
I probably looked like a lunatic in the cafe where I was working. God damn, what a hilarious bug. |
I can confirm this bug. It was causing our cookies to expire immediately. I was affecting us for about the last 24 hours until I updated the application.rb file to set the response.header['date'] option in an after_filter. |
Kinda silly, but I made a gem that automatically includes this fix in (I have a bunch of active projects, and needed to apply the fix to all of them...) |
I'll fix this immediately and roll out a new gem, tarball and binaries. Thanks for letting us know. |
Hi Guys, this sounds pretty serious so I contacted Hongli, he'll check this Are you saying every rails app could be failing today or is it a certain
|
We have two different configurations. One with nginx and one with apache. The apache apps are fine. I think apache is overriding passenger's header date. But the nginx ones are showing the bug. |
It should be every rails app that uses passenger and does not set its own Date header and does not have it's date header overridden by something (as in the case of Apache, as squiggs77 mentioned) |
@d-snp - this only affects cookies that have an expiration before the buggy date. For example, we have our session set to automatically timeout after a given time period, like so: Rails.application.config.session_store(
:cookie_store,
key: '_myapp_session',
expire_after: 1000.seconds
) In this case, the app always thinks that the session cookie has already expired, so some browsers don't send that cookie back to the server on the next request. @squiggs77 - we can also confirm that apache is fine. So we believe this affects:
We also noticed that if you have mini-profiler enabled, it can override the headers set in |
Thanks @FooBarWidget. Couldn't ask for a better response. |
For those of you using mini-profiler, check out this line: https://github.com/MiniProfiler/rack-mini-profiler/blob/master/lib/mini_profiler/profiler.rb#L373 which deletes the date header from the response. Make sure to disable mini-profiler in development if you are debugging this issue too. |
Is this a particular version of Passenger? Why would the error start affecting people just now? |
It was released in Passenger 4.0.0.rc4 which was less than a year ago and the bug only shows itself the last few days of a calendar year. So if nothing is done it will start working again on Wednesday, but then break again the end of next year. |
Fix has been committed, pushed and released. Both the open source and Enterprise gems and tarballs have been released. Binaries and APT packages are being built by our build server. http://blog.phusion.nl/2013/12/30/phusion-passenger-4-0-30-released-fixes-date-header-bug-that-causes-cookies-to-expire-prematurely/ Thanks everyone for your help. |
As for why %G was used instead of %Y: it's simply a case of mea culpa. I was looking for a formatter that would always format the year as 4 digits and never as 2, regardless of locale. But I didn't read the documentation correctly and thought that %G was what I needed. |
We worked on this issue for about 10 hours this morning as well. What a pain in the butt. We fixed it with changing the header in our apps for the Date header. |
@zenom Sorry for the hassle. |
Thanks for the quick fix! |
If I had to choose between passenger 359 days of the year, or passenger 0 days of the year, I'd still choose 359 :) Thanks for the great work and the quick fix! |
If there are still someone with Rails2 and this bug, we could solve it doing : class ApplicationController < ActionController::Base
after_filter :set_headers
def set_headers
response.headers["Date"] = "#{Time.now.utc}"
end
end |
I'm using in my application controller: response.headers['date']=Time.zone.now.utc.httpdate The '.zone' may not be needed, but the '.httpdate' should format the date correctly for the header. |
Yea, anyway, it is fixed now. I just update the gem and works perfect. No quick hack needed. The process is quite straight forward described in the installation guide A! another wired thing, at least our site, was working okay in safari. |
We've been debugging this problem as well ... thanks for the quick response. |
If you use nginx as loadbalancer before many nginx+passenger on several servers - problem does not affect your site. Nginx-loadbalancer overrides wrong data to correct one. |
o) www/rubygem-passenger; o) third-party modules for www/nginx and www/nginx-devel. <ChangeLog> * Fixed wrong autogeneration of HTTP Date header. If the web app does not supply a Date header, then Passenger will add one. Unfortunately due to the use of the wrong format string, December 30 2013 is formatted as December 30 2014. As a result, cookies that expire before 2014 would expire on December 30 2013 and December 31 2013. Details can be found at [Github pull request 93](phusion/passenger#93). This issue only affects Phusion Passenger for Nginx and Phusion Passenger Standalone, and does not affect Phusion Passenger for Apache. You can work around this problem in your application by setting a Date header. For example, in Rails you can do: before_filter { response.date = Time.now.utc } Many thanks to Jeff Michael Dean (zilkey) and many others for bringing this to our attention and for providing workarounds and feedback. </ChangeLog>
-------------- * [Nginx] Upgraded the preferred Nginx version to 1.6.0. * [Nginx] Fixed compatibility with Nginx 1.7.0. * There are now APT packages for Ubuntu 14.04. At the same time, packages for Ubuntu 13.10 have been abandoned. * Introduced a new command, `passenger-config build-native-support`, for ensuring that the native_support library for the current Ruby interpreter is built. This is useful in system provisioning scripts. * For security reasons, friendly error pages (those black/purple pages that shows the error message, backtrace and environment variable dump when an application fails to start) are now disabled by default when the application environment is set to 'staging' or 'production'. Fixes issue #1063. * Fixed some compilation warnings on Ubuntu 14.04. * Fixed some compatibility problems with Rake 10.2.0 and later. See [Rake issue 274](jimweirich/rake#274). * Improved error handling in [Union Station](https://www.unionstationapp.com) support. * Data is now sent to Union Station on a more frequent basis, in order to make new data show up more quickly. * Information about the code revision is now sent to Union Station, which will be used in the upcoming deployment tracking feature in Union Station 2. Release 4.0.41 -------------- * Fixed some issues with printing UTF-8 log files on Heroku. * Added a new flag `--ignore-app-not-running` to `passenger-config restart-app`. When this flag is given, `passenger-config restart-app` will exit successfully when the specified application is not running, instead of exiting with an error. * Our precompiled Passenger Standalone binaries have been upgraded to use OpenSSL 1.0.1g, which fixes the OpenSSL Heartbleed vulnerability. Users who are using Passenger Standalone with SSL enabled are vulnerable, and should upgrade immediately. Users who do not use Passenger Standalone, users who use Passenger Standalone without SSL, or users who use Passenger Standalone with SSL behind another SSL-enabled reverse proxy, are not vulnerable. Release 4.0.40 -------------- * Upgraded preferred Nginx version to 1.4.7. This Nginx version fixes a buffer overflow. Users are strongly urged to upgrade Nginx as soon as possible. Release 4.0.39 -------------- * Fixed a crash that could happen if the client disconnects while a chunked response is being sent. Fixes issue #1062. * In Phusion Passenger Standalone, it is now possible to customize the Nginx configuration file on Heroku. It is now also possible to permanently apply changes to the Nginx configuration file, surviving upgrades. Please refer to the "Advanced configuration" section of the Phusion Passenger Standalone manual for more information. * The programming language selection menu in passenger-install-apache2-module and passenger-install-nginx-module only works on terminals that support UTF-8 and that have a UTF-8 capable font. To cater to users who cannot meet these requirements (e.g. PuTTY users using any of the default Windows fonts), it is now possible to switch the menu to a plain text mode by pressing '!'. Fixes issue #1066. * Fixed printing UTF-8 characters in log files in Phusion Passenger Standalone. * It is now possible to dump live backtraces of Python apps through the 'SIGABRT' signal. * Fixed closing of file descriptors on OS X 10.9. * Fixed compilation problems with Apple Clang 503.0.38 on OS X. * Fixed compilation of native_support on Rubinius. Release 4.0.38 -------------- * Added support for the new Ruby 2.1.0 out-of-band garbage collector. This can much improve garbage collection performance, and drastically reduce request times. * Fixed a symlink-related security vulnerability. Urgency: low Scope: local exploit Summary: writing files to arbitrary directory by hijacking temp directories Affected versions: 4.0.37 Fixed versions: 4.0.38 CVE-2014-1832 Description: This issue is related to CVE-2014-1831 (the security issue as mentioned in the 4.0.37 release notes). The previous fix was incomplete, and still has a (albeit smaller) small attack time window in between two filesystem checks. This attack window is now gone. * Passenger Standalone is now compatible with IPv6. * Fixed some compilation problems on Solaris. See issue #1047. * passenger-install-apache2-module and passenger-install-nginx-module now automatically run in `--auto` mode if stdin is not a TTY. Fixes issue #1030. * Fixed an issue with non-bundled Meteor apps not correctly running in production mode. * The `PassengerPreStart` option is now compatible with IPv6 server sockets. * When running Python WSGI apps, `wsgi.run_once` is now set to False. This should improve the performance of certain apps and frameworks. * When handling HTTP requests with chunked transfer encoding, the 'Transfer-Encoding' header is no longer passed to the application. This is because the web server already buffers and dechunks the request body. * Fixed a possible hang in Phusion Passenger for Nginx when Nginx is instructed to reload or reopen log files. Thanks to Feng Gu, [pull request #97](phusion/passenger#97). * The preferred Nginx version has been upgraded to 1.4.6. * Fixed a problem with running passenger-install-apache2-module and passenger-install-nginx-module on JRuby. They were not able to accept any terminal input after displaying the programming language menu. Release 4.0.37 -------------- * Improved Node.js compatibility. Calling on() on the request object now returns the request object itself. This fixes some issues with Express, Connect and Formidable. Furthermore, some WebSocket-related issues have been fixed. * Improved Meteor support. Meteor application processes are now shut down quicker. Previously, they linger around for 5 seconds while waiting for all connections to terminate, but that didn't work well because WebSocket connections were kept open indefinitely. Also, some WebSocket-related issues have been fixed. * Introduced a new tool `passenger-config detach-process` for gracefully detaching an application process from the process pool. Has a similar effect to killing the application process directly with `kill <PID>`, but killing directly may cause the HTTP client to see an error, while using this command guarantees that clients see no errors. * Fixed a crash that occurs when an application fails to spawn, but the HTTP client disconnects before the error page is generated. Fixes issue #1028. * Fixed a symlink-related security vulnerability. Urgency: low Scope: local exploit Summary: writing files to arbitrary directory by hijacking temp directories Affected versions: 4.0.5 and later Fixed versions: 4.0.37 CVE-2014-1831 Description: Phusion Passenger creates a "server instance directory" in /tmp during startup, which is a temporary directory that Phusion Passenger uses to store working files. This directory is deleted after Phusion Passenger exits. For various technical reasons, this directory must have a semi-predictable filename. If a local attacker can predict this filename, and precreates a symlink with the same filename that points to an arbitrary directory with mode 755, owner root and group root, then the attacker will succeed in making Phusion Passenger write files and create subdirectories inside that target directory. The following files/subdirectories are created: * control_process.pid * generation-X, where X is a number. If you happen to have a file inside the target directory called `control_process.pid`, then that file's contents are overwritten. These files and directories are deleted during Phusion Passenger exit. The target directory itself is not deleted, nor are any other contents inside the target directory, although the symlink is. Thanks go to Jakub Wilk for discovering this issue. Release 4.0.36 -------------- * [Enterprise] Fixed some Mass Deployment bugs. * [Enterprise] Fixed a bug that causes an application group to be put into Deployment Error Resistance Mode if rolling restarting fails while deployment error resistance is off. Deployment Error Resistance Mode is now only activated if it's explicitly turned on. * Passenger Standalone now gzips JSON responses. * Fixed some cases in which Passenger Standalone does not to properly cleanup its temporary files. Release 4.0.35 -------------- * Fixed some unit tests. Release 4.0.34 -------------- * The Node.js loader code now sets the `isApplicationLoader` attribute on the bootstrapping module. This provides a way for apps and frameworks that check for `module.parent` to check whether the current file is loaded by Phusion Passenger, or by other software that work in a similar way. This change has been introduced to solve a compatibility issue with CompoundJS. CompoundJS users should modify their server.js, and change the following: if (!module.parent) { to: if (!module.parent || module.parent.isApplicationLoader) { * Improved support for Meteor in development mode. Terminating Phusion Passenger now leaves less garbage Meteor processes behind. * It is now possible to disable the usage of the Ruby native extension by setting the environment variable `PASSENGER_USE_RUBY_NATIVE_SUPPORT=0`. * Fixed incorrect detection of the Apache MPM on Ubuntu 13.10. * When using RVM, if you set PassengerRuby/passenger_ruby to the raw Ruby binary instead of the wrapper script, Phusion Passenger will now print an error. * Added support for RVM >= 1.25 wrapper scripts. * Fixed loading passenger_native_support on Ruby 1.9.2. * The Union Station analytics code now works even without native_support. * Fixed `passenger-install-apache2-module` and `passenger-install-nginx-module` in Homebrew. * Binaries are now downloaded from an Amazon S3 mirror if the main binary server is unavailable. * And finally, although this isn't really a change in 4.0.34, it should be noted. In version 4.0.33 we changed the way Phusion Passenger's own Ruby source files are loaded, in order to fix some Debian and RPM packaging issues. The following doesn't work anymore: require 'phusion_passenger/foo' Instead, it should become: PhusionPassenger.require_passenger_lib 'foo' However, we overlooked the fact that this change breaks Ruby apps which use our Out-of-Band GC feature, because such apps had to call `require 'phusion_passenger/rack/out_of_band_gc'`. Unfortunately we're not able to maintain compatibility without reintroducing the Debian and RPM packaging issues. Users should modify the following: require 'phusion_passenger/rack/out_of_band_gc' to: if PhusionPassenger.respond_to?(:require_passenger_lib) # Phusion Passenger >= 4.0.33 PhusionPassenger.require_passenger_lib 'rack/out_of_band_gc' else # Phusion Passenger < 4.0.33 require 'phusion_passenger/rack/out_of_band_gc' end Release 4.0.33 -------------- * Fixed a compatibility problem in passenger-install-apache2-module with Ruby 1.8. The language selection menu didn't work properly. Release 4.0.32 -------------- * Fixed compatibility problems with old Ruby versions that didn't include RubyGems. Release 4.0.31 -------------- * Introduced a new tool: `passenger-config restart-app`. With this command you can initiate an application restart without touching restart.txt. Unlike touching restart.txt, this tool initiates the restart immediately instead of on the next request. * Fixed some problems in process spawning and request handling. * Fixed some problems with the handling of HTTP chunked transfer encoding bodies. These problems only occurred in Ruby. * Fixed the HelperAgent, upon shutdown, not correctly waiting 5 seconds until all clients have disconnected. Fixes issue #884. * Fixed compilation problems on FreeBSD. * Fixed some C++ strict aliasing problems. * Fixed some problems with spawning applications that print messages without newline during startup. Fixes issue #1039. * Fixed potential hangs on JRuby when Ctrl-C is used to shutdown the server. Fixes issue #1035. * When Phusion Passenger is installed through the Debian package, passenger-install-apache2-module now checks whether the Apache module package (libapache2-mod-passenger) is properly installed, and installs it using apt-get if it's not installed. Fixes issue #1031. * The `passenger-status --show=xml` command no longer prints the non-XML preamble, such as the version number and the time. Fixes issue #1037. * The Ruby native extension check whether it's loaded against the right Ruby version, to prevent problems when people upgrade Ruby without recompiling their native extensions. * Various other minor Debian packaging improvements. Release 4.0.30 -------------- * Fixed wrong autogeneration of HTTP Date header. If the web app does not supply a Date header, then Passenger will add one. Unfortunately due to the use of the wrong format string, December 30 2013 is formatted as December 30 2014. As a result, cookies that expire before 2014 would expire on December 30 2013 and December 31 2013. Details can be found at [Github pull request 93](phusion/passenger#93). This issue only affects Phusion Passenger for Nginx and Phusion Passenger Standalone, and does not affect Phusion Passenger for Apache. You can work around this problem in your application by setting a Date header. For example, in Rails you can do: before_filter { response.date = Time.now.utc } Many thanks to Jeff Michael Dean (zilkey) and many others for bringing this to our attention and for providing workarounds and feedback. Release 4.0.29 -------------- * Fixed a compilation problem on OS X Mavericks. Release 4.0.28 -------------- * Introduced a workaround for a GCC 4.6 bug. This bug could cause Phusion Passsenger to crash during startup. Affected operating systems include Ubuntu 12.04 and Amazon Linux 2013.09.01, though not every machine with this OS installed exhibits the problem. See issue #902. * Improved Node.js support: the Sails framework is now supported. * Improved Node.js support: the streams2 API is now supported. * Introduced support for hooks, allowing users to easily extend Phusion Passenger's behavior. * Fixed a bug in the `passenger start -R` option. It was broken because of a change introduced in 4.0.25. * Fixed a bug in PassengerMaxInstancesPerApp. Fixes issue #1016. * Fixed compilation problems on Solaris. * Fixed an encoding problem in the Apache autodetection code. Fixes issue #1026. * The Debian packages no longer depend on libruby. * Application stdout and stderr are now printed without normal Phusion Passenger debugging information, making them easier to read. Release 4.0.27 -------------- * [Apache] Fixed a bug in the Apache module which could lock up the Apache process or thread. This is a regression introduced in version 4.0.24. * Node.js application processes now have friendly process titles. Release 4.0.26 -------------- * Introduced the `PassengerBufferUpload` option for Apache. This option allows one to disable upload buffering, e.g. in order to be able to track upload progress. * [Nginx] The `HTTPS` variable is now set correctly for HTTPS connections, even without setting `ssl on`. Fixes issue #401. * [Standalone] It is now possible to listen on both a normal HTTP and an HTTPS port. * [Enterprise] The `passenger-status` tool now displays rolling restart status. Release 4.0.25 -------------- * The `PassengerAppEnv`/`passenger_app_env`/`--environment` option now also sets NODE_ENV, so that Node.js frameworks like Connect can properly respond to the environment. * Fixed a bug in our Debian/Ubuntu packages causing `passenger-install-nginx-module` not to be able to compile Nginx. * Arbitrary Node.js application structures are now supported. * [Nginx] Introduced the `passenger_restart_dir` option. * [Nginx] Upgraded preferred Nginx version to 1.4.4 because of CVE-2013-4547. Release 4.0.24 -------------- * Introduced the `PassengerNodejs` (Apache) and `passenger_nodejs` (Nginx) configuration options. * [Apache] Introduced the `PassengerErrorOverride` option, so that HTTP error responses generated by applications can be intercepted by Apache and customized using the `ErrorDocument` directive. * [Standalone] It is now possible to specify some configuration options in a configuration file `passenger-standalone.json`. When Passenger Standalone is used in Mass Deployment mode, this configuration file can be used to customize settings on a per-application basis. * [Enterprise] Fixed a potential crash when a rolling restart is triggered while a process is already shutting down. * [Enterprise] Fixed Mass Deployment support for Node.js and Meteor. Release 4.0.23 -------------- * Fixed compilation problems on GCC 4.8.2 (e.g. Arch Linux 2013-10-27). * Fixed a compatibility problem with Solaris /usr/ccs/bin/make: issue #999. * Support for the Meteor Javascript framework has been open sourced. Release 4.0.22 -------------- * [Enterprised] Fixed compilation problems on OS X Mavericks. Release 4.0.21 -------------- * [Nginx] Upgraded the preferred Nginx version to 1.4.3. * Node.js support has been open sourced. * Prelimenary OS X Mavericks support. * Work around an Apache packaging bug in CentOS 5. * Various user friendliness improvements in the documentation and the installers. * Fixed a bug in the always_restart.txt support. Phusion Passenger was looking for it in the wrong directory. * Many Solaris and Sun Studio compatibility fixes. Special thanks to "mark" for his extensive assistance. * [Standalone] The --temp-dir command line option has been introduced. Release 4.0.20 -------------- * Fixed a bug in Phusion Passenger Standalone's daemon mode. When in daemon mode, the Nginx temporary directory was deleted prematurely, causing some POST requests to fail. This was a regression that was introduced in 4.0.15 as part of an optimization. * Fixed compilation problems on Solaris 10 with Sun Studio 12.3. * Improved detection of RVM problems. * It is now possible to log the request method to Union Station. * Introduced a new option, `PassengerLoadShellEnvvars` (Apache) and `passenger_load_shell_envvars` (Nginx). This allows enabling or disabling the loading of bashrc before spawning the application. * [Enterprise] Fixed a packaging problem which caused the flying-passenger executable not to be properly included in the bin path. * [Enterprise] Fixed a race condition which sometimes causes the Flying Passenger socket to be deleted after a restart. Fixes issue #939. * [Enterprise] The `byebug` gem is now supported for debugging on Ruby 2.0. The byebug gem requires a patch before this works: deivid-rodriguez/byebug#29 Release 4.0.19 -------------- * Fixed a problem with response buffering. Application processes are now properly marked available for request processing immediately after they're done sending the response, instead of after having sent the entire response to the client. * The "processed" counter in `passenger-status` is now bumped after the process has handled a request, not at the beginning. * [Enterprise] Fixed an off-by-one bug in the `passenger_max_processes` setting. Release 4.0.18 -------------- * The Enterprise variant of Phusion Passenger Standalone now supports customizing the concurrency model and thread count from the command line. * On Nginx, the Enterprise license is now only checked if Phusion Passenger is enabled in Nginx. This allows you to deploy Nginx binaries, that have Phusion Passenger Enterprise compiled in, to servers that are not actually running Phusion Passenger Enterprise. * Fixed a performance bug in the Union Station support code. In certain cases where a lot of data must be sent to Union Station, the code is now over 100 times faster. * `passenger-status --show=union_station` now displays all clients that are connected to the LoggingAgent. * Added a workaround for Heroku so that exited processes are properly detected as such. * When using Phusion Passenger Standalone with Foreman, pressing Ctrl-C in Foreman no longer results in runaway Nginx processes. * Fixed backtraces in the Apache module. Release 4.0.17 -------------- * Fixed compilation problems on GCC 4.8 systems, such as Arch Linux 2013.04. Fixes issue #941. * Fixed some deprecation warnings when compiling the Ruby native extension on Ruby 2.0.0. * Fixed some Union Station-related stability issues. Release 4.0.16 -------------- * Allow Phusion Passenger to work properly on systems where the user's GID does not have a proper entry in /etc/group, such as Heroku. Release 4.0.15 -------------- * Out-of-band work has been much improved. The number of processes which may perform out-of-band work concurrently has been limited to 1. Furthermore, processes which are performing out-of-band work are now included in the max pool size constraint calculation. However, this means that in order to use out-of-band work, you need to have at least 2 application processes running. Out-of-band work will never be triggered if you just have 1 process. Partially fixes issue #892. * Phusion Passenger now displays an error message to clients if too many requests are queued up. By default, "too many" is 100. You may customize this with `PassengerMaxRequestQueueSize` (Apache) or `passenger_max_request_queue_size` (Nginx). * A new configuration option, `PassengerStartTimeout` (Apache) and `passenger_start_timeout` (Nginx), has been added. This option allows you to specify a timeout for application startup. The startup timeout has exited since version 4.0.0, but before version 4.0.15 it was hardcoded at a value of 90 seconds. Now it is customizable. Fixes issue #936. * [Enterprise] The `PassengerMaxRequestTime`/`passenger_max_request_time` feature is now available for Python and Node.js as well, and is no longer limited to just Ruby. Fixes issue #938. * [Nginx] Introduced a configuration option `passenger_intercept_errors`, which decides if Nginx will intercept responses with HTTP status codes of 400 and higher. Its effect is similar to `proxy_intercept_errors`. * [Standalone] Memory usage optimization: when `passenger start` is run with `--daemonize`, the frontend exits after starting the Nginx core. This saves ~20 MB of memory per `passenger start` instance. * [Standalone] Phusion Passenger Standalone is now also packaged in the Debian packages. * [Standalone] Fix a problem with the `passenger stop` command on Ruby 1.8.7. The 'thread' library was not properly required, causing a crash. * [Standalone] There is now builtin support for SSL. * Fix a crash when multiple `passenger_pass_header` directives are set. Fixes issue #934. * Permissions on the server instance directory are now explicitly set with chmod, so that permissions are correct on systems with a non-default umask. Fixes issue #928. * Fix permission problems when running `passenger start` with `--user`. * `passenger-config --detect-apache2` now correctly detects the eror log filename on Amazon Linux. Fixes issue #933. * An environment variable `PASSENGER_THREAD_LOCAL_STORAGE` has been added to the build system for forcefully disabling the use of thread-local storage within the Phusion Passenger codebase. This flag useful on systems that have broken support for thread-local storage, despite passing our build system's check for proper thread-local storage support. At the time of writing, one user has reported that Ubuntu 12.04 32-bit has broken thread-local storage report although neither the reporter nor us were able to reproduce the problem on any other systems running Ubuntu 12.04 32-bit. Note that this flag has no effect on non-Phusion Passenger code. Fixes issue #937. * It is now possible to preprocess events before they are sent to Union Station. This is useful for removing confidential data as demonstrated in this example `config/initializers/passenger.rb` file: if defined?(PhusionPassenger) event_preprocessor = lambda do |e| e.payload[:sql].gsub!("secret","PASSWORD") if e.payload[:sql] end PhusionPassenger.install_framework_extensions!(:event_preprocessor => event_preprocessor) end
Passenger sometimes gets the date wrong when appending the http Date header to responses. This happens when the week-based year differs from the calendar year. It happens because it uses
%G
to print the year when it should be using%Y
(see this commit: 15ed1d4).Given the time
2013-12-30 18:12:43 UTC
, the date header using the week-based year is printed as:Mon, 30 Dec 2014 18:12:43 UTC
Whereas the header using the calendar-based year would be printed as:
Mon, 30 Dec 2013 18:12:43 UTC
Notice that the week-based year is December of 2014. This causes cookies to appear invalid on any browser that uses the date header to calculate cookie expiration (such as Chrome). We discovered this today while debugging a problem where no users could log into our Rails app in Chrome or Firefox.
I'm not good enough at C++ yet to quickly write a unit test for this, but I wanted to submit this immediately because I imagine it is affecting a number of rails sites.