puma 3.12.2 → 3.12.4
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puma might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/History.md +12 -0
- data/lib/puma/const.rb +2 -1
- data/lib/puma/server.rb +8 -0
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 90c787c1348aac4bd79f044a1d8a7014c21a5bf2367bb6362ab7aad7149aad0b
|
|
4
|
+
data.tar.gz: e1f3c2988248be7b1fe505589d9062939c01fc5a98436dfde40a5c4fe797716f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2f4007051eecb452c7afa81869d521433a42dd5b05032fb348603086ce07912b482f03fa0073bef75103c3d1c1676836fb2816373750cff4097969b0f7b92da5
|
|
7
|
+
data.tar.gz: 4932f28317bb3100de12e531dbc00e4e944357cce687a56034c8d08919cf137050f22ce288015449a8b1123a51b61820d932df77b57d6aeda6101526b271de47
|
data/History.md
CHANGED
|
@@ -4,6 +4,18 @@
|
|
|
4
4
|
|
|
5
5
|
* x bugfixes
|
|
6
6
|
|
|
7
|
+
|
|
8
|
+
## 4.3.3 and 3.12.4 / 2020-02-28
|
|
9
|
+
* Bugfixes
|
|
10
|
+
* Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
|
|
11
|
+
* Security
|
|
12
|
+
* Fix: Prevent HTTP Response splitting via CR in early hints.
|
|
13
|
+
|
|
14
|
+
## 4.3.2 and 3.12.3 / 2020-02-27
|
|
15
|
+
|
|
16
|
+
* Security
|
|
17
|
+
* Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
|
|
18
|
+
|
|
7
19
|
## 4.3.1 and 3.12.2 / 2019-12-05
|
|
8
20
|
|
|
9
21
|
* Security
|
data/lib/puma/const.rb
CHANGED
|
@@ -100,7 +100,7 @@ module Puma
|
|
|
100
100
|
# too taxing on performance.
|
|
101
101
|
module Const
|
|
102
102
|
|
|
103
|
-
PUMA_VERSION = VERSION = "3.12.
|
|
103
|
+
PUMA_VERSION = VERSION = "3.12.4".freeze
|
|
104
104
|
CODE_NAME = "Llamas in Pajamas".freeze
|
|
105
105
|
PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
|
|
106
106
|
|
|
@@ -228,6 +228,7 @@ module Puma
|
|
|
228
228
|
COLON = ": ".freeze
|
|
229
229
|
|
|
230
230
|
NEWLINE = "\n".freeze
|
|
231
|
+
HTTP_INJECTION_REGEX = /[\r\n]/.freeze
|
|
231
232
|
|
|
232
233
|
HIJACK_P = "rack.hijack?".freeze
|
|
233
234
|
HIJACK = "rack.hijack".freeze
|
data/lib/puma/server.rb
CHANGED
|
@@ -653,6 +653,7 @@ module Puma
|
|
|
653
653
|
headers.each_pair do |k, vs|
|
|
654
654
|
if vs.respond_to?(:to_s) && !vs.to_s.empty?
|
|
655
655
|
vs.to_s.split(NEWLINE).each do |v|
|
|
656
|
+
next if possible_header_injection?(v)
|
|
656
657
|
fast_write client, "#{k}: #{v}\r\n"
|
|
657
658
|
end
|
|
658
659
|
else
|
|
@@ -751,6 +752,7 @@ module Puma
|
|
|
751
752
|
headers.each do |k, vs|
|
|
752
753
|
case k.downcase
|
|
753
754
|
when CONTENT_LENGTH2
|
|
755
|
+
next if possible_header_injection?(vs)
|
|
754
756
|
content_length = vs
|
|
755
757
|
next
|
|
756
758
|
when TRANSFER_ENCODING
|
|
@@ -763,6 +765,7 @@ module Puma
|
|
|
763
765
|
|
|
764
766
|
if vs.respond_to?(:to_s) && !vs.to_s.empty?
|
|
765
767
|
vs.to_s.split(NEWLINE).each do |v|
|
|
768
|
+
next if possible_header_injection?(v)
|
|
766
769
|
lines.append k, colon, v, line_ending
|
|
767
770
|
end
|
|
768
771
|
else
|
|
@@ -1029,5 +1032,10 @@ module Puma
|
|
|
1029
1032
|
def shutting_down?
|
|
1030
1033
|
@status == :stop || @status == :restart
|
|
1031
1034
|
end
|
|
1035
|
+
|
|
1036
|
+
def possible_header_injection?(header_value)
|
|
1037
|
+
HTTP_INJECTION_REGEX =~ header_value.to_s
|
|
1038
|
+
end
|
|
1039
|
+
private :possible_header_injection?
|
|
1032
1040
|
end
|
|
1033
1041
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puma
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.12.
|
|
4
|
+
version: 3.12.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Evan Phoenix
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-02-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server
|
|
14
14
|
for Ruby/Rack applications. Puma is intended for use in both development and production
|
|
@@ -108,7 +108,7 @@ licenses:
|
|
|
108
108
|
- BSD-3-Clause
|
|
109
109
|
metadata:
|
|
110
110
|
msys2_mingw_dependencies: openssl
|
|
111
|
-
post_install_message:
|
|
111
|
+
post_install_message:
|
|
112
112
|
rdoc_options: []
|
|
113
113
|
require_paths:
|
|
114
114
|
- lib
|
|
@@ -123,8 +123,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
123
123
|
- !ruby/object:Gem::Version
|
|
124
124
|
version: '0'
|
|
125
125
|
requirements: []
|
|
126
|
-
rubygems_version: 3.0.
|
|
127
|
-
signing_key:
|
|
126
|
+
rubygems_version: 3.0.6
|
|
127
|
+
signing_key:
|
|
128
128
|
specification_version: 4
|
|
129
129
|
summary: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for
|
|
130
130
|
Ruby/Rack applications
|