puma 4.3.0 → 4.3.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puma might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/History.md +5 -0
- data/lib/puma/const.rb +8 -1
- data/lib/puma/server.rb +15 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0c3e9fdfe5225baf88ff5ee9ec6f58201a220a482d72e5217309964a22b7ccc0
|
4
|
+
data.tar.gz: 541ad3a7311662ca31e3de234870b03d6aac3eb925c8ad04e7a857bac097edc8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8dc3a1d604212819aa8dc549b767cf00e3c237c95f0053ec61f6750666097980a1fbd2c350b1c47e59a1047d1a0bb35451914629f2829a66ded20a930939a60e
|
7
|
+
data.tar.gz: f906230de96dd55841faaf6968939b4a096acb9933e91b34c8aada201e1c5e259c567ce8dce744490093072f6cb9d9553b7d83752e07ec7502973c72990563d4
|
data/History.md
CHANGED
@@ -6,6 +6,11 @@
|
|
6
6
|
* Bugfixes
|
7
7
|
* Your bugfix goes here (#Github Number)
|
8
8
|
|
9
|
+
## 4.3.1 and 3.12.2 / 2019-12-05
|
10
|
+
|
11
|
+
* Security
|
12
|
+
* Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770.
|
13
|
+
|
9
14
|
## 4.3.0 / 2019-11-07
|
10
15
|
|
11
16
|
* Features
|
data/lib/puma/const.rb
CHANGED
@@ -100,7 +100,7 @@ module Puma
|
|
100
100
|
# too taxing on performance.
|
101
101
|
module Const
|
102
102
|
|
103
|
-
PUMA_VERSION = VERSION = "4.3.
|
103
|
+
PUMA_VERSION = VERSION = "4.3.1".freeze
|
104
104
|
CODE_NAME = "Mysterious Traveller".freeze
|
105
105
|
PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
|
106
106
|
|
@@ -118,6 +118,13 @@ module Puma
|
|
118
118
|
# sending data back
|
119
119
|
WRITE_TIMEOUT = 10
|
120
120
|
|
121
|
+
# How many requests to attempt inline before sending a client back to
|
122
|
+
# the reactor to be subject to normal ordering. The idea here is that
|
123
|
+
# we amortize the cost of going back to the reactor for a well behaved
|
124
|
+
# but very "greedy" client across 10 requests. This prevents a not
|
125
|
+
# well behaved client from monopolizing the thread forever.
|
126
|
+
MAX_FAST_INLINE = 10
|
127
|
+
|
121
128
|
# The original URI requested by the client.
|
122
129
|
REQUEST_URI= 'REQUEST_URI'.freeze
|
123
130
|
REQUEST_PATH = 'REQUEST_PATH'.freeze
|
data/lib/puma/server.rb
CHANGED
@@ -466,6 +466,8 @@ module Puma
|
|
466
466
|
clean_thread_locals = @options[:clean_thread_locals]
|
467
467
|
close_socket = true
|
468
468
|
|
469
|
+
requests = 0
|
470
|
+
|
469
471
|
while true
|
470
472
|
case handle_request(client, buffer)
|
471
473
|
when false
|
@@ -479,7 +481,19 @@ module Puma
|
|
479
481
|
|
480
482
|
ThreadPool.clean_thread_locals if clean_thread_locals
|
481
483
|
|
482
|
-
|
484
|
+
requests += 1
|
485
|
+
|
486
|
+
check_for_more_data = @status == :run
|
487
|
+
|
488
|
+
if requests >= MAX_FAST_INLINE
|
489
|
+
# This will mean that reset will only try to use the data it already
|
490
|
+
# has buffered and won't try to read more data. What this means is that
|
491
|
+
# every client, independent of their request speed, gets treated like a slow
|
492
|
+
# one once every MAX_FAST_INLINE requests.
|
493
|
+
check_for_more_data = false
|
494
|
+
end
|
495
|
+
|
496
|
+
unless client.reset(check_for_more_data)
|
483
497
|
close_socket = false
|
484
498
|
client.set_timeout @persistent_timeout
|
485
499
|
@reactor.add client
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puma
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 4.3.
|
4
|
+
version: 4.3.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Evan Phoenix
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-12-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nio4r
|