RubyGems - gitlab-puma - Versions diffs - 4.3.1.gitlab.2 → 4.3.3.gitlab.2 - Mend

gitlab-puma 4.3.1.gitlab.2 → 4.3.3.gitlab.2

Files changed (5) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c4249da1f75e968f84766b223378a6aaf6dd022abf83d852b1c798a1a347f654
-  data.tar.gz: 449706411cb7021709240bfd9f20d8dd94a6a5fff4d8cf8dda1308be9d8a6b17
+  metadata.gz: 03e5cb5dedbb4d7954301cdff029724f82ed81b9b9fedafbc21fde9a90b62fdb
+  data.tar.gz: 703e172841c638fc21999da3b6ffc3672ad2e4a1d70c4c7a73b906571baacbbe
 SHA512:
-  metadata.gz: 4a5f2b5aa8c6e8d6a1b73c85edc684b83068a95591afa8a9688daaef6330b8fa44d5e5e3e5225c172c71400a407bf8cdd00de0702b0f93b4a0e22ebae1d28775
-  data.tar.gz: 1324855884bafd56ff03bcd6fa190a4515680a1267ad30dfe27a4efe36e805274418256c8727675c7427c79c0639441c2fecfc8cfdff915098150c7304be57c0
+  metadata.gz: a2fe9f28e21ee51ec4f8f9131747131b563b0f3e46f045cd406cc39568b98452622af27a6219eb1fb6f172eac767cbee3875a6e534e9c7e31112ff502dee2c08
+  data.tar.gz: d0d1e0232bdbe157c8258f96b2ed6c7bec5e5bc5d1e6c616360f294fa7185fa30ad53a5b4c267041b96d2720596eb036a69511a8dd88a7da3e14f1f8bc96de61

data/History.md CHANGED

@@ -6,6 +6,18 @@
 * Bugfixes
   * Your bugfix goes here (#Github Number)
+## 4.3.3 and 3.12.4 / 2020-02-28
+  * Bugfixes
+    * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
+  * Security
+    * Fix: Prevent HTTP Response splitting via CR in early hints.
+## 4.3.2 and 3.12.3 / 2020-02-27
+* Security
+  * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
 ## 4.3.1 and 3.12.2 / 2019-12-05
 * Security

data/lib/puma/const.rb CHANGED

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
-    PUMA_VERSION = VERSION = "4.3.1.gitlab.2".freeze
+    PUMA_VERSION = VERSION = "4.3.3.gitlab.2".freeze
     CODE_NAME = "Mysterious Traveller".freeze
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
@@ -228,6 +228,7 @@ module Puma
     COLON = ": ".freeze
     NEWLINE = "\n".freeze
+    HTTP_INJECTION_REGEX = /[\r\n]/.freeze
     HIJACK_P = "rack.hijack?".freeze
     HIJACK = "rack.hijack".freeze

data/lib/puma/server.rb CHANGED

@@ -666,6 +666,7 @@ module Puma
             headers.each_pair do |k, vs|
               if vs.respond_to?(:to_s) && !vs.to_s.empty?
                 vs.to_s.split(NEWLINE).each do |v|
+                  next if possible_header_injection?(v)
                   fast_write client, "#{k}: #{v}\r\n"
                 end
               else
@@ -767,6 +768,7 @@ module Puma
         headers.each do |k, vs|
           case k.downcase
           when CONTENT_LENGTH2
+            next if possible_header_injection?(vs)
             content_length = vs
             next
           when TRANSFER_ENCODING
@@ -779,6 +781,7 @@ module Puma
           if vs.respond_to?(:to_s) && !vs.to_s.empty?
             vs.to_s.split(NEWLINE).each do |v|
+              next if possible_header_injection?(v)
               lines.append k, colon, v, line_ending
             end
           else
@@ -1049,5 +1052,10 @@ module Puma
     def shutting_down?
       @status == :stop || @status == :restart
     end
+    def possible_header_injection?(header_value)
+      HTTP_INJECTION_REGEX =~ header_value.to_s
+    end
+    private :possible_header_injection?
   end
 end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-puma
 version: !ruby/object:Gem::Version
-  version: 4.3.1.gitlab.2
+  version: 4.3.3.gitlab.2
 platform: ruby
 authors:
 - GitLab
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-12-11 00:00:00.000000000 Z
+date: 2020-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nio4r