puma 4.3.0-java → 4.3.3-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e6d09366b4b771a3942466e98d52d3af9a879420e1debed767b53eaa4edaf36
-  data.tar.gz: 6f1ae43b69087282ec3c11519c0d64613180d4655a7f2d4c93a13a0856e2b99a
+  metadata.gz: 74024757af24c86b43fdd7360b8f8177fedfa1fb75b34f128175b16e12c4e20b
+  data.tar.gz: 708c5433d1f023d23c0eda449f62294283caafbb77fcd4250f814aa5bba1d160
 SHA512:
-  metadata.gz: 761970dd43e44b0f58d87129eb9c94921bdc073942ab8f351de9afea5ee471daf1ff94fe101e4e04e71988738b55b56f2bc035eba9274eb763b4071c19e5514b
-  data.tar.gz: ac47fae97e259a53e76c4153da10d2cccedee210c17bdabcffcbf585e78c8cf3eb5efcca55c87ec8218b5455a37f90421a97f8592192bbc6e4d611f90b01e082
+  metadata.gz: b9411791854d704f8be4f8df38b212cf021eb3e3c9c82c2ab71230271fb053c81219229fec9f4973f8d4cbd632b3ab9f7cace5e81c883147d7f823cfe59694a4
+  data.tar.gz: 4964f5bc6d0f921f28d7526b9313d80e7a90119fce7e74c325f3540055e7e7b797fb985d49e9a21cb8f9f04a883f0a64804e2cba364899047b261d7f55164e62

data/History.md

@@ -6,6 +6,23 @@
 * Bugfixes
   * Your bugfix goes here (#Github Number)
 
+
+## 4.3.3 and 3.12.4 / 2020-02-28
+  * Bugfixes
+    * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
+  * Security
+    * Fix: Prevent HTTP Response splitting via CR in early hints.
+
+## 4.3.2 and 3.12.3 / 2020-02-27
+
+* Security
+  * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
+
+## 4.3.1 and 3.12.2 / 2019-12-05
+
+* Security
+  * Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770.
+
 ## 4.3.0 / 2019-11-07
 
 * Features

data/lib/puma/const.rb

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "4.3.0".freeze
+    PUMA_VERSION = VERSION = "4.3.3".freeze
     CODE_NAME = "Mysterious Traveller".freeze
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
 
@@ -118,6 +118,13 @@ module Puma
     # sending data back
     WRITE_TIMEOUT = 10
 
+    # How many requests to attempt inline before sending a client back to
+    # the reactor to be subject to normal ordering. The idea here is that
+    # we amortize the cost of going back to the reactor for a well behaved
+    # but very "greedy" client across 10 requests. This prevents a not
+    # well behaved client from monopolizing the thread forever.
+    MAX_FAST_INLINE = 10
+
     # The original URI requested by the client.
     REQUEST_URI= 'REQUEST_URI'.freeze
     REQUEST_PATH = 'REQUEST_PATH'.freeze
@@ -221,6 +228,7 @@ module Puma
     COLON = ": ".freeze
 
     NEWLINE = "\n".freeze
+    HTTP_INJECTION_REGEX = /[\r\n]/.freeze
 
     HIJACK_P = "rack.hijack?".freeze
     HIJACK = "rack.hijack".freeze

data/lib/puma/server.rb

@@ -466,6 +466,8 @@ module Puma
         clean_thread_locals = @options[:clean_thread_locals]
         close_socket = true
 
+        requests = 0
+
         while true
           case handle_request(client, buffer)
           when false
@@ -479,7 +481,19 @@ module Puma
 
             ThreadPool.clean_thread_locals if clean_thread_locals
 
-            unless client.reset(@status == :run)
+            requests += 1
+
+            check_for_more_data = @status == :run
+
+            if requests >= MAX_FAST_INLINE
+              # This will mean that reset will only try to use the data it already
+              # has buffered and won't try to read more data. What this means is that
+              # every client, independent of their request speed, gets treated like a slow
+              # one once every MAX_FAST_INLINE requests.
+              check_for_more_data = false
+            end
+
+            unless client.reset(check_for_more_data)
               close_socket = false
               client.set_timeout @persistent_timeout
               @reactor.add client
@@ -643,6 +657,7 @@ module Puma
             headers.each_pair do |k, vs|
               if vs.respond_to?(:to_s) && !vs.to_s.empty?
                 vs.to_s.split(NEWLINE).each do |v|
+                  next if possible_header_injection?(v)
                   fast_write client, "#{k}: #{v}\r\n"
                 end
               else
@@ -744,6 +759,7 @@ module Puma
         headers.each do |k, vs|
           case k.downcase
           when CONTENT_LENGTH2
+            next if possible_header_injection?(vs)
             content_length = vs
             next
           when TRANSFER_ENCODING
@@ -756,6 +772,7 @@ module Puma
 
           if vs.respond_to?(:to_s) && !vs.to_s.empty?
             vs.to_s.split(NEWLINE).each do |v|
+              next if possible_header_injection?(v)
               lines.append k, colon, v, line_ending
             end
           else
@@ -1026,5 +1043,10 @@ module Puma
     def shutting_down?
       @status == :stop || @status == :restart
     end
+
+    def possible_header_injection?(header_value)
+      HTTP_INJECTION_REGEX =~ header_value.to_s
+    end
+    private :possible_header_injection?
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 4.3.0
+  version: 4.3.3
 platform: java
 authors:
 - Evan Phoenix
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-11-07 00:00:00.000000000 Z
+date: 2020-02-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -17,8 +17,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.0'
   name: nio4r
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"