Alpine 3.12.4 uses a vulnerable version of libssl1.1
(CVE-2021-3449 and CVE-2021-3450), issues that are fixed in Alpine
3.12.5. This is not really a problem for Webdis since it doesn't use
SSL, but the vulnerability shows up on image scans and users who build
images with Webdis as the base image could be at risk if their own
changes depend on this library.
When strings are added as elements of an array but typed as
REDIS_REPLY_STATUS instead of REDIS_REPLY_STRING, Webdis encodes them as
nulls. REDIS_REPLY_STATUS should only be encoded as [true, str] or
[false, str] when this is a top-level status response, not an array
element. In these cases we only need the string.
Fixes#188
Webdis used to call fsync after every single log message, which had a
significant negative impact on performance. This change introduces 3
config options for fsync: no explicit fsync (the new default), a periodic
fsync called every N milliseconds, or the old behavior.
The new config key is also documented and validates its inputs.
1. plaintext was not free'd after encoding credentials
2. ACL commands were duplicated when there was no need to
In both cases the value came from conf_string_or_envvar which always
uses strdup.
We were ignoring the response sent by Redis for AUTH commands. This
commit adds a callback which logs the response; I've tested it with
valid and invalid credentials and the log message is correct in both
cases. There's a lock on the server object to only log this once; I
tried adding it on the pool object but there's one pool per thread so
we still ended up with multiple messages.
A single symbol was added to the log depending on the level, one of ".-*#"
This had an issue: there were only 4 symbols but there are 5 levels; in
addition a `%b` was used which logged a number instead of a letter.
This commit changes the logic to add a single uppercase letter instead,
based on the level (e.g. WEBDIS_ERROR is E, _INFO is I, etc.)
* Change redis_auth in struct conf to handle old and new auth
* Update cfg.c to understand an array of two strings for redis_auth
* Update pool.c to send both username and password
* Add links to new images on AWS ECR
* Clean up Markdown:
* Change all <pre>...</pre> to ``` blocks
* Add syntax info on code blocks
* Add `$` prefix in front of all commands that didn't have it
* Heading tweak
Fixes https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-587980
Even though webdis doesn't use TLS, some images could be built from the
webdis image and therefore use a vulnerable version of openssl. The fix
is in version 1.1.1g and Alpine currently has 1.1.1i.
After this change, snyk no longer report any know vulnerabilities in the
Docker image.
* Use `localtime_r` instead of `localtime`
* Use correct argument type in callback to `msgpack_packer_new`
* Address FIXME in conf.c
* Remove redundant check in websocket.c
Current test suite pass with python-msgpack v0.2 but fails with python-msgpack
v0.3 and later due to changes in the library. Modern distributions ship
python-msgpack > 0.3 for very long time ago.
The Dockerfile used to refer to the latest published tag for Webdis.
This meant updating the file every time a new release was published.
This change uses the GitHub API to find the latest tag before
downloading and building the corresponding release.
Formatting changes:
* Added `{}` after each single-line `if` (see "goto fail" bug).
* Added spaces around operators
Object key changes: reviewed the docs and selected more appropriate
names for various object keys.