puma 3.12.2-java → 3.12.4-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 835d444c7e619728a20f960ff33b6d09c0ee07b5d63428ba34ce22e7408ecbfb
-  data.tar.gz: 7474d589404b47d916e134be4ed568652f029be024dfbb82c7ab404a7cb50daa
+  metadata.gz: bc1c0e8423cd9fa884caee68e9a30ce9842452918faddb8d42a5911da368901c
+  data.tar.gz: 248b30d1d6bde1c17d5643ba8facca3aed0fe45513648a811db4334b5718d5af
 SHA512:
-  metadata.gz: 4cae9db11916b0e7838fd3949f7a71a7531ad9fb2c32f8312686a614d8f5b04a24d60b790ddca3af9c47dccad5212ba64f180d04a45d5ad47dfdb7f3c39054c5
-  data.tar.gz: 79a5ff3eb5c648690829404bc15535ae4f8082f3bdb5bc1740bbc36fdaa836fe4e32bdf7f3597b11a48a8f9ca0e98ffbb6370109747c378d2df707d90caaeadc
+  metadata.gz: ef8d286c5898f7284c09d384db6a0fa1f7c77729ae49a8ff3015983f09a13e5c9fe4b7d2497deb7aa4673af5de0304b7909178722a51d1f5e62701cf635b238c
+  data.tar.gz: 1de175b0905a0019b2108c95cc37f49318b7343144e4aac5f0a818ff1691097cc1413765a39f64faa0987cf43c338ae1b67f34b9db6d1d2f3f2b18269e1588f9

data/History.md

@@ -4,6 +4,18 @@
 
 * x bugfixes
 
+
+## 4.3.3 and 3.12.4 / 2020-02-28
+  * Bugfixes
+    * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
+  * Security
+    * Fix: Prevent HTTP Response splitting via CR in early hints.
+
+## 4.3.2 and 3.12.3 / 2020-02-27
+
+* Security
+  * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
+
 ## 4.3.1 and 3.12.2 / 2019-12-05
 
 * Security

data/lib/puma/const.rb

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "3.12.2".freeze
+    PUMA_VERSION = VERSION = "3.12.4".freeze
     CODE_NAME = "Llamas in Pajamas".freeze
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
 
@@ -228,6 +228,7 @@ module Puma
     COLON = ": ".freeze
 
     NEWLINE = "\n".freeze
+    HTTP_INJECTION_REGEX = /[\r\n]/.freeze
 
     HIJACK_P = "rack.hijack?".freeze
     HIJACK = "rack.hijack".freeze

data/lib/puma/server.rb

@@ -653,6 +653,7 @@ module Puma
           headers.each_pair do |k, vs|
             if vs.respond_to?(:to_s) && !vs.to_s.empty?
               vs.to_s.split(NEWLINE).each do |v|
+                next if possible_header_injection?(v)
                 fast_write client, "#{k}: #{v}\r\n"
               end
             else
@@ -751,6 +752,7 @@ module Puma
         headers.each do |k, vs|
           case k.downcase
           when CONTENT_LENGTH2
+            next if possible_header_injection?(vs)
             content_length = vs
             next
           when TRANSFER_ENCODING
@@ -763,6 +765,7 @@ module Puma
 
           if vs.respond_to?(:to_s) && !vs.to_s.empty?
             vs.to_s.split(NEWLINE).each do |v|
+              next if possible_header_injection?(v)
               lines.append k, colon, v, line_ending
             end
           else
@@ -1029,5 +1032,10 @@ module Puma
     def shutting_down?
       @status == :stop || @status == :restart
     end
+
+    def possible_header_injection?(header_value)
+      HTTP_INJECTION_REGEX =~ header_value.to_s
+    end
+    private :possible_header_injection?
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 3.12.2
+  version: 3.12.4
 platform: java
 authors:
 - Evan Phoenix
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-12-05 00:00:00.000000000 Z
+date: 2020-02-28 00:00:00.000000000 Z
 dependencies: []
 description: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server
   for Ruby/Rack applications. Puma is intended for use in both development and production