New feature: support for SSL connections to Redis.
Webdis can now connect securely to Redis, thanks to the Hiredis
client library. Docker images for Webdis will now contain two binaries,
"webdis" and "webdis-ssl", the latter depending on OpenSSL.
See Webdis README for details: https://github.com/nicolasff/webdis#configuring-webdis-with-ssl
Two binaries are built and packaged:
* /usr/local/bin/webdis -- still without SSL and does not depend on
OpenSSL
* /usr/local/bin/webdis-ssl -- supports SSL, depends on OpenSSL but has
to be used with the webdis image as a base image or in a container
injecting the webdis config and certs.
Security update: upgrading the version of Redis bundled in
the Webdis image to fix a number of severe vulnerabilities.
* Low severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727801
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* Medium severity vulnerability found in redis/redis
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727803
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Allocation of Resources Without Limits or Throttling
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727783
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: CVE-2021-32626
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727820
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727822
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727823
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727825
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* High severity vulnerability found in redis/redis
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE314-REDIS-1727826
Introduced through: redis/redis@6.2.5-r0
From: redis/redis@6.2.5-r0
Fixed in: 6.2.6-r0
* Many improvements to WebSocket implementation (#198, #199). WebSocket
support is now much more stable, and better tested. The feature is
still disabled by default, but is recommended for testing.
* Base image updated from Alpine 3.12.7 to 3.14.2 to resolve
vulnerabilities found in Alpine. Webdis itself is not at risk, but
images *based* on Webdis could be using vulnerable software if they
use packages from Alpine 3.12.7.
This is not really uninitialized, it would only happen if the string
dumped with dump_string was empty of contained invalid UTF-8. Setting
an initial value has no effect since codepoint is used as an "out"
value in utf8_iterate.
Also mark the WS client as closing before we close the Redis connection,
to avoid its last error callback (if sent) trying to send out data while
we're in the middle of freeing the client.
1. Introduce ws_client struct
2. Handle all communications from websocket.c for WS clients
3. Always use a dedicated Redis connection for WS clients
4. Add rbuf & wbuf evbuffers for incoming & outgoing WS data
5. Use event_base_once to control R/W events
6. WS test: make sure to read complete HTTP response
For WS clients, reuse a persistent cmd struct attached to the
http_client object: take the cmd built from the WS frame, and copy it to
the persistent cmd.
1. Only HTTP-based pub-sub clients were re-using a cmd object, but
WS clients were not. This led to the commands sent by a WS client
to be processed out of order, just queued to Redis but with no
guarantee that they would be de-queued from the event loop in the
same order. This change attaches a permanent cmd object (with its
associated Redis context) to WS clients just like pub-sub clients
do.
2. WS responses are also no longer sent out of order, but added to a
write buffer that is scheduled for writing as long as there is still
some data left to send. This replaces the use of http_response which
contained extra fields (headers, HTTP response) that were duplicated
without ever being sent out.
Both ws_handshake_reply and ws_reply build http_response objects without
using the status code or headers, this code can be refactored to use a
single method.
Add new pub-sub test using WebSockets, disabled by default due to
message ordering not matching what is expected.
Enable the test with `PUBSUB=1 ./ws-tests.py`
The overall rate was incorrect when using non-default intervals. Also
simplify the code using plain nanosecond values, and fix the rate for
the last event which was based on the number of sleeps instead of the
actual time elapsed.
The implementation was waiting for the client, which leaves some hanging
even after they called close(). This mirrors the behavior for HTTP
connections in client.c where close() is called right before
http_client_free.