I reviewed gunicorn version 17.5-2 as checked into saucy. This should not
be considered a full security audit, but rather a quick gauge of code
quality.
- Gunicorn provides a Python-based WSGI HTTP server; it provides several
prefork worker types, including 'sync' (simple synchronous workers,
intended to be used behind e.g. nginx reverse proxy), 'async',
'eventlet', 'gevent', and 'tornado', with the recommendation that
'tornado' not be used. Async workers use libev or libevent bindings.
- Build-deps include Python, Python setup tools
- Optional runtime dependencies include python-tornado, python-gevent,
python-pastedeploy, python-setproctitle
- Provides 'ssl' wrapped sockets if configured; does no client certificate
verification, and simply serves pre-existing certificate chain and key.
Very few configuration options.
- Can daemonize properly if requested
- Can listen on external interfaces
- Init script provides for /etc/gunicorn.d/ directory of configurations
init script skips the two provided 'example' files (see ignore_re in
/usr/sbin/gunicorn-debian helper)
- No dbus
- No setuid executables
- Provides /usr/bin/ gunicorn, gunicorn_django, gunicorn_paster
Provides /usr/sbin/gunicorn-debian, called from the init script
- No sudo fragments
- Tests are included in the package, but they aren't run during build,
relies upon 'tox' and 'pytest' to run tests, may also require
virtualenv. They might be a useful starting point for internal tests
but the current configuration is unfortunate.
- No cron jobs
- Clean build logs
- The spawned workers can execute arbitrary Python module:function
- Does not itself do much file manipulation: just logging and some
complicated worker-to-master status files, looked safe
- Exceptions may log untrusted data
- The configurable logging may also log untrusted data, only " (double
quote) is sanitized to \" (backslash doublequote), while newlines,
escape sequences, etc., are logged without change. While this does leave
log files unambiguously parsable, it requires an impressive log analysis
tool rather than simple field-based systems. Plain 'cat' on a terminal
may be unsafe.
- Environment handling looks fine, gunicorn-debian adds /etc/gunicorn.d/
to the Python search path
- Some effort has been made to allow gunicorn to change users and groups
at startup if necessary; default configuration runs without changing,
but individual configurations can request user and group as appropriate.
Supplementary groups are completely unset, which is safe but may prevent
some convenient configurations.
- Network input looked properly distrusted everywhere. sync workers assume
a trusted reverse proxy handles belligerent clients, async workers were
designed to handle belligerent clients.
- Temporary files used only for worker-to-master signaling; they are
deleted very shortly after creation, with specific permissions and
mkstemp creation.
- Does not use webkit
Code quality was overall high, though sometimes "more dynamic" than
necessary (the signal handling code is good for a giggle :) but I didn't
spot any actual problems from these bursts of youthful exuberance.
Please investigate if the tests can be reasonably integrated into the
build process (without requiring virtualenv).
Security team ACK for promoting to main.
Thanks
** Changed in: gunicorn (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1207013
Title:
[MIR] gunicorn
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gunicorn/+bug/1207013/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
