RubyGems - gitlab-puma - Versions diffs - 4.3.1.gitlab.2 → 4.3.3.gitlab.2 - Mend

gitlab-puma 4.3.1.gitlab.2 → 4.3.3.gitlab.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c4249da1f75e968f84766b223378a6aaf6dd022abf83d852b1c798a1a347f654
-  data.tar.gz: 449706411cb7021709240bfd9f20d8dd94a6a5fff4d8cf8dda1308be9d8a6b17
+  metadata.gz: 03e5cb5dedbb4d7954301cdff029724f82ed81b9b9fedafbc21fde9a90b62fdb
+  data.tar.gz: 703e172841c638fc21999da3b6ffc3672ad2e4a1d70c4c7a73b906571baacbbe
 SHA512:
-  metadata.gz: 4a5f2b5aa8c6e8d6a1b73c85edc684b83068a95591afa8a9688daaef6330b8fa44d5e5e3e5225c172c71400a407bf8cdd00de0702b0f93b4a0e22ebae1d28775
-  data.tar.gz: 1324855884bafd56ff03bcd6fa190a4515680a1267ad30dfe27a4efe36e805274418256c8727675c7427c79c0639441c2fecfc8cfdff915098150c7304be57c0
+  metadata.gz: a2fe9f28e21ee51ec4f8f9131747131b563b0f3e46f045cd406cc39568b98452622af27a6219eb1fb6f172eac767cbee3875a6e534e9c7e31112ff502dee2c08
+  data.tar.gz: d0d1e0232bdbe157c8258f96b2ed6c7bec5e5bc5d1e6c616360f294fa7185fa30ad53a5b4c267041b96d2720596eb036a69511a8dd88a7da3e14f1f8bc96de61

data/History.md CHANGED

@@ -6,6 +6,18 @@
 * Bugfixes
   * Your bugfix goes here (#Github Number)
+## 4.3.3 and 3.12.4 / 2020-02-28
+  * Bugfixes
+    * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
+  * Security
+    * Fix: Prevent HTTP Response splitting via CR in early hints.
+## 4.3.2 and 3.12.3 / 2020-02-27
+* Security
+  * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
 ## 4.3.1 and 3.12.2 / 2019-12-05
 * Security

data/lib/puma/const.rb CHANGED

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
-    PUMA_VERSION = VERSION = "4.3.1.gitlab.2".freeze
+    PUMA_VERSION = VERSION = "4.3.3.gitlab.2".freeze
     CODE_NAME = "Mysterious Traveller".freeze
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
@@ -228,6 +228,7 @@ module Puma
     COLON = ": ".freeze
     NEWLINE = "\n".freeze
+    HTTP_INJECTION_REGEX = /[\r\n]/.freeze
     HIJACK_P = "rack.hijack?".freeze
     HIJACK = "rack.hijack".freeze

data/lib/puma/server.rb CHANGED

@@ -666,6 +666,7 @@ module Puma
             headers.each_pair do |k, vs|
               if vs.respond_to?(:to_s) && !vs.to_s.empty?
                 vs.to_s.split(NEWLINE).each do |v|
+                  next if possible_header_injection?(v)
                   fast_write client, "#{k}: #{v}\r\n"
                 end
               else
@@ -767,6 +768,7 @@ module Puma
         headers.each do |k, vs|
           case k.downcase
           when CONTENT_LENGTH2
+            next if possible_header_injection?(vs)
             content_length = vs
             next
           when TRANSFER_ENCODING
@@ -779,6 +781,7 @@ module Puma
           if vs.respond_to?(:to_s) && !vs.to_s.empty?
             vs.to_s.split(NEWLINE).each do |v|
+              next if possible_header_injection?(v)
               lines.append k, colon, v, line_ending
             end
           else
@@ -1049,5 +1052,10 @@ module Puma
     def shutting_down?
       @status == :stop || @status == :restart
     end
+    def possible_header_injection?(header_value)
+      HTTP_INJECTION_REGEX =~ header_value.to_s
+    end
+    private :possible_header_injection?
   end
 end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-puma
 version: !ruby/object:Gem::Version
-  version: 4.3.1.gitlab.2
+  version: 4.3.3.gitlab.2
 platform: ruby
 authors:
 - GitLab
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-12-11 00:00:00.000000000 Z
+date: 2020-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nio4r