rack-ssl-enforcer icon indicating copy to clipboard operation
rack-ssl-enforcer copied to clipboard
verified publisher icon tobmatth

Make middleware thread-safe

Open titanous opened this issue 6 years ago • 2 comments

Rack middleware must not use instance variables for state, as the same instance can be called by multiple threads. This patch changes the middleware to pass all request state as method arguments.

As a result of the lack of thread safety in the current version, it is possible for the middleware to handle a request incorrectly, using the @request instance variable from another request. This can present itself as random redirects to other URLs for a small subset of requests, when using a threaded Rack server like Puma.

I have reproduced and verified this issue using a test application with many requests in a specific pattern that we observed in production to trigger this issue. After this patch, the issue no longer occurs.

titanous avatar Oct 07 '19 20:10 titanous

it'd be nice if this could get merged.

jubishop avatar May 02 '21 19:05 jubishop

I've published my own version of rack-ssl-enforcer to RubyGems.org under the name spinels-rack-ssl-enforcer with this patch applied. The repo is at https://github.com/spinels/rack-ssl-enforcer.

dentarg avatar Apr 21 '22 19:04 dentarg