puma 3.12.2-java → 3.12.4-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of puma might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/History.md +12 -0
- data/lib/puma/const.rb +2 -1
- data/lib/puma/puma_http11.jar +0 -0
- data/lib/puma/server.rb +8 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bc1c0e8423cd9fa884caee68e9a30ce9842452918faddb8d42a5911da368901c
|
|
4
|
+
data.tar.gz: 248b30d1d6bde1c17d5643ba8facca3aed0fe45513648a811db4334b5718d5af
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ef8d286c5898f7284c09d384db6a0fa1f7c77729ae49a8ff3015983f09a13e5c9fe4b7d2497deb7aa4673af5de0304b7909178722a51d1f5e62701cf635b238c
|
|
7
|
+
data.tar.gz: 1de175b0905a0019b2108c95cc37f49318b7343144e4aac5f0a818ff1691097cc1413765a39f64faa0987cf43c338ae1b67f34b9db6d1d2f3f2b18269e1588f9
|
data/History.md
CHANGED
|
@@ -4,6 +4,18 @@
|
|
|
4
4
|
|
|
5
5
|
* x bugfixes
|
|
6
6
|
|
|
7
|
+
|
|
8
|
+
## 4.3.3 and 3.12.4 / 2020-02-28
|
|
9
|
+
* Bugfixes
|
|
10
|
+
* Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
|
|
11
|
+
* Security
|
|
12
|
+
* Fix: Prevent HTTP Response splitting via CR in early hints.
|
|
13
|
+
|
|
14
|
+
## 4.3.2 and 3.12.3 / 2020-02-27
|
|
15
|
+
|
|
16
|
+
* Security
|
|
17
|
+
* Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
|
|
18
|
+
|
|
7
19
|
## 4.3.1 and 3.12.2 / 2019-12-05
|
|
8
20
|
|
|
9
21
|
* Security
|
data/lib/puma/const.rb
CHANGED
|
@@ -100,7 +100,7 @@ module Puma
|
|
|
100
100
|
# too taxing on performance.
|
|
101
101
|
module Const
|
|
102
102
|
|
|
103
|
-
PUMA_VERSION = VERSION = "3.12.
|
|
103
|
+
PUMA_VERSION = VERSION = "3.12.4".freeze
|
|
104
104
|
CODE_NAME = "Llamas in Pajamas".freeze
|
|
105
105
|
PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
|
|
106
106
|
|
|
@@ -228,6 +228,7 @@ module Puma
|
|
|
228
228
|
COLON = ": ".freeze
|
|
229
229
|
|
|
230
230
|
NEWLINE = "\n".freeze
|
|
231
|
+
HTTP_INJECTION_REGEX = /[\r\n]/.freeze
|
|
231
232
|
|
|
232
233
|
HIJACK_P = "rack.hijack?".freeze
|
|
233
234
|
HIJACK = "rack.hijack".freeze
|
data/lib/puma/puma_http11.jar
CHANGED
|
Binary file
|
data/lib/puma/server.rb
CHANGED
|
@@ -653,6 +653,7 @@ module Puma
|
|
|
653
653
|
headers.each_pair do |k, vs|
|
|
654
654
|
if vs.respond_to?(:to_s) && !vs.to_s.empty?
|
|
655
655
|
vs.to_s.split(NEWLINE).each do |v|
|
|
656
|
+
next if possible_header_injection?(v)
|
|
656
657
|
fast_write client, "#{k}: #{v}\r\n"
|
|
657
658
|
end
|
|
658
659
|
else
|
|
@@ -751,6 +752,7 @@ module Puma
|
|
|
751
752
|
headers.each do |k, vs|
|
|
752
753
|
case k.downcase
|
|
753
754
|
when CONTENT_LENGTH2
|
|
755
|
+
next if possible_header_injection?(vs)
|
|
754
756
|
content_length = vs
|
|
755
757
|
next
|
|
756
758
|
when TRANSFER_ENCODING
|
|
@@ -763,6 +765,7 @@ module Puma
|
|
|
763
765
|
|
|
764
766
|
if vs.respond_to?(:to_s) && !vs.to_s.empty?
|
|
765
767
|
vs.to_s.split(NEWLINE).each do |v|
|
|
768
|
+
next if possible_header_injection?(v)
|
|
766
769
|
lines.append k, colon, v, line_ending
|
|
767
770
|
end
|
|
768
771
|
else
|
|
@@ -1029,5 +1032,10 @@ module Puma
|
|
|
1029
1032
|
def shutting_down?
|
|
1030
1033
|
@status == :stop || @status == :restart
|
|
1031
1034
|
end
|
|
1035
|
+
|
|
1036
|
+
def possible_header_injection?(header_value)
|
|
1037
|
+
HTTP_INJECTION_REGEX =~ header_value.to_s
|
|
1038
|
+
end
|
|
1039
|
+
private :possible_header_injection?
|
|
1032
1040
|
end
|
|
1033
1041
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puma
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.12.
|
|
4
|
+
version: 3.12.4
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Evan Phoenix
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-02-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server
|
|
14
14
|
for Ruby/Rack applications. Puma is intended for use in both development and production
|