puma 3.12.2 → 3.12.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8483f2a5087645c3b4a3f066a9ad804849c9c81d9df9c50ee17cc5a6594071bb
-  data.tar.gz: aee48433624d9efaeafe08c7747a38e8fd843645861ae82b3e2d8c59f1b7ecb5
+  metadata.gz: da843833fd17b4bb2283f4c5161a1aa9367a6613455b8fbf31bae49393db4f80
+  data.tar.gz: bd9259270bd27f8421827c66e7f515044f51a7672c3dc755836d2a6b1240e84d
 SHA512:
-  metadata.gz: 95aa82dbc1af85a87975c27f5061ccd55349950e3d17336ad62271788601821f835dc53b9f8542d008de0d6f7f4fc8b128a89cf5300488016f573c34e319ee62
-  data.tar.gz: e4e97b12c6c3d285fb327201760f2ffcd80dd716f67b52aee02670940d141832ba28044ddfda969df173ebe9bbe1b58068714e6308897d62d308ee6daebe3f29
+  metadata.gz: 74d807145c97b7714c04ebf7858af57b1cdf00e87217b8a88428494718893f7670ffd27216c31164f57bd96984cd8e79f3c7f856d39c1b54c192965fe8ecdec8
+  data.tar.gz: e0616e41dceddc3b8aad69a5baab5b49007053d151bf2689de173495f3160900269bab94c539a47fe2bbdd2db1aab98a0df8177ece857a06bea6261c5d37a704

data/History.md

@@ -4,6 +4,18 @@
 
 * x bugfixes
 
+
+## 4.3.3 and 3.12.4 / 2020-02-28
+  * Bugfixes
+    * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
+  * Security
+    * Fix: Prevent HTTP Response splitting via CR in early hints.
+
+## 4.3.2 and 3.12.3 / 2020-02-27
+
+* Security
+  * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
+
 ## 4.3.1 and 3.12.2 / 2019-12-05
 
 * Security

data/ext/puma_http11/http11_parser.c

@@ -14,12 +14,14 @@
 
 /*
  * capitalizes all lower-case ASCII characters,
- * converts dashes to underscores.
+ * converts dashes to underscores, and underscores to commas.
  */
 static void snake_upcase_char(char *c)
 {
     if (*c >= 'a' && *c <= 'z')
       *c &= ~0x20;
+    else if (*c == '_')
+      *c = ',';
     else if (*c == '-')
       *c = '_';
 }

data/ext/puma_http11/http11_parser.rl

@@ -12,12 +12,14 @@
 
 /*
  * capitalizes all lower-case ASCII characters,
- * converts dashes to underscores.
+ * converts dashes to underscores, and underscores to commas.
  */
 static void snake_upcase_char(char *c)
 {
     if (*c >= 'a' && *c <= 'z')
       *c &= ~0x20;
+    else if (*c == '_')
+      *c = ',';
     else if (*c == '-')
       *c = '_';
 }

data/lib/puma/client.rb

@@ -244,8 +244,16 @@ module Puma
 
       te = @env[TRANSFER_ENCODING2]
 
-      if te && CHUNKED.casecmp(te) == 0
-        return setup_chunked_body(body)
+      if te
+        if te.include?(",")
+          te.split(",").each do |part|
+            if CHUNKED.casecmp(part.strip) == 0
+              return setup_chunked_body(body)
+            end
+          end
+        elsif CHUNKED.casecmp(te) == 0
+          return setup_chunked_body(body)
+        end
       end
 
       @chunked_body = false

data/lib/puma/const.rb

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "3.12.2".freeze
+    PUMA_VERSION = VERSION = "3.12.6".freeze
     CODE_NAME = "Llamas in Pajamas".freeze
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
 
@@ -228,6 +228,7 @@ module Puma
     COLON = ": ".freeze
 
     NEWLINE = "\n".freeze
+    HTTP_INJECTION_REGEX = /[\r\n]/.freeze
 
     HIJACK_P = "rack.hijack?".freeze
     HIJACK = "rack.hijack".freeze

data/lib/puma/server.rb

@@ -653,6 +653,7 @@ module Puma
           headers.each_pair do |k, vs|
             if vs.respond_to?(:to_s) && !vs.to_s.empty?
               vs.to_s.split(NEWLINE).each do |v|
+                next if possible_header_injection?(v)
                 fast_write client, "#{k}: #{v}\r\n"
               end
             else
@@ -664,6 +665,37 @@ module Puma
         }
       end
 
+      # Fixup any headers with , in the name to have _ now. We emit
+      # headers with , in them during the parse phase to avoid ambiguity
+      # with the - to _ conversion for critical headers. But here for
+      # compatibility, we'll convert them back. This code is written to
+      # avoid allocation in the common case (ie there are no headers
+      # with , in their names), that's why it has the extra conditionals.
+
+      to_delete = nil
+      to_add = nil
+
+      env.each do |k,v|
+        if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
+          if to_delete
+            to_delete << k
+          else
+            to_delete = [k]
+          end
+
+          unless to_add
+            to_add = {}
+          end
+
+          to_add[k.gsub(",", "_")] = v
+        end
+      end
+
+      if to_delete
+        to_delete.each { |k| env.delete(k) }
+        env.merge! to_add
+      end
+
       # A rack extension. If the app writes #call'ables to this
       # array, we will invoke them when the request is done.
       #
@@ -751,6 +783,7 @@ module Puma
         headers.each do |k, vs|
           case k.downcase
           when CONTENT_LENGTH2
+            next if possible_header_injection?(vs)
             content_length = vs
             next
           when TRANSFER_ENCODING
@@ -763,6 +796,7 @@ module Puma
 
           if vs.respond_to?(:to_s) && !vs.to_s.empty?
             vs.to_s.split(NEWLINE).each do |v|
+              next if possible_header_injection?(v)
               lines.append k, colon, v, line_ending
             end
           else
@@ -1029,5 +1063,10 @@ module Puma
     def shutting_down?
       @status == :stop || @status == :restart
     end
+
+    def possible_header_injection?(header_value)
+      HTTP_INJECTION_REGEX =~ header_value.to_s
+    end
+    private :possible_header_injection?
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 3.12.2
+  version: 3.12.6
 platform: ruby
 authors:
 - Evan Phoenix
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-05 00:00:00.000000000 Z
+date: 2020-05-19 00:00:00.000000000 Z
 dependencies: []
 description: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server
   for Ruby/Rack applications. Puma is intended for use in both development and production