puma 4.3.0 → 4.3.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f2ba02cb19976145aa1824079a79d468fad878ca58bdb902f60a58b184049714
-  data.tar.gz: fcfa744db7db86e4acfbfb3d14659ec4aefa86ec249f6105ea7c54d97e361e97
+  metadata.gz: f01631d0dd0843d149b6af364b95378f66e93b20ca449e8a734c445cfc74a9b9
+  data.tar.gz: 38ff0fb797898ba2981bfe201ce279400151e2c77d1741f028bcb168fe825bd8
 SHA512:
-  metadata.gz: 875da8dd65d1c85f3912988c0b8b371fcfe1ef2cc99dbb9d4108c2141c2a0427a3db2cca684e82f5b955c564785d3e49f3723aeb64264d76cc4395ec7da2815c
-  data.tar.gz: 7460c59d0ec3d2c1733fafd35a33c434385da60b70e325f6c85aeeb2ccdea25e07c2b16f7f08f7cc14cccdf44780d5d5f98b1581fb3565e3557dbfb844e4a332
+  metadata.gz: 4f712a8da3d29f6890321a468d49bb9eb104063d6c49ea27ce58101538b1f99180bd4c7a8f96817cf20e1a42b00e8043d760126e9cc899fe335fbddeb6462f45
+  data.tar.gz: 4bf8d5bc37ab8f45452967a3bb6c4f30e712c5a73ebaf86db82367dddd4766de651410c29295c292c4bc6b06dffd042c0bf4d3f6acf4c92e0abba6a106b8e43c

data/History.md

@@ -1,10 +1,54 @@
-## Master
+## 4.3.11 / 2022-02-11
 
-* Features
-  * Your feature goes here (#Github Number)
+* Security
+  * Always close the response body (GHSA-rmj8-8hhh-gv5h)
+
+## 4.3.10 / 2021-10-12
 
 * Bugfixes
-  * Your bugfix goes here (#Github Number)
+  * Allow UTF-8 in HTTP header values
+
+## 4.3.9 / 2021-10-12
+
+* Security
+  * Do not allow LF as a line ending in a header (CVE-2021-41136)
+
+## 4.3.8 / 2021-05-11
+
+* Security
+  * Close keepalive connections after the maximum number of fast inlined requests (#2625)
+
+## 4.3.7 / 2020-11-30
+
+* Bugfixes
+  * Backport set CONTENT_LENGTH for chunked requests (Originally: #2287, backport: #2496)
+
+## 4.3.6 / 2020-09-05
+
+* Bugfixes
+  * Explicitly include ctype.h to fix compilation warning and build error on macOS with Xcode 12 (#2304)
+  * Don't require json at boot (#2269)
+  * Set `CONTENT_LENGTH` for chunked requests (#2287)
+
+## 4.3.4/4.3.5 and 3.12.5/3.12.6 / 2020-05-22
+
+Each patchlevel release contains a separate security fix. We recommend simply upgrading to 4.3.5/3.12.6.
+
+## 4.3.3 and 3.12.4 / 2020-02-28
+  * Bugfixes
+    * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
+  * Security
+    * Fix: Prevent HTTP Response splitting via CR in early hints.
+
+## 4.3.2 and 3.12.3 / 2020-02-27
+
+* Security
+  * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
+
+## 4.3.1 and 3.12.2 / 2019-12-05
+
+* Security
+  * Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770.
 
 ## 4.3.0 / 2019-11-07
 

data/ext/puma_http11/extconf.rb

@@ -1,7 +1,7 @@
 require 'mkmf'
 
 dir_config("puma_http11")
-if RUBY_PLATFORM[/mingw32/]
+if $mingw && RUBY_VERSION >= '2.4'
   append_cflags '-D_FORTIFY_SOURCE=2'
   append_ldflags '-fstack-protector'
   have_library 'ssp'

data/ext/puma_http11/http11_parser.c

@@ -14,12 +14,14 @@
 
 /*
  * capitalizes all lower-case ASCII characters,
- * converts dashes to underscores.
+ * converts dashes to underscores, and underscores to commas.
  */
 static void snake_upcase_char(char *c)
 {
     if (*c >= 'a' && *c <= 'z')
       *c &= ~0x20;
+    else if (*c == '_')
+      *c = ',';
     else if (*c == '-')
       *c = '_';
 }
@@ -428,7 +430,13 @@ case 18:
 	switch( (*p) ) {
 		case 13: goto tr26;
 		case 32: goto tr27;
+		case 127: goto st0;
 	}
+	if ( (*p) > 8 ) {
+		if ( 10 <= (*p) && (*p) <= 31 )
+			goto st0;
+	} else if ( (*p) >= 0 )
+		goto st0;
 	goto tr25;
 tr25:
 #line 44 "ext/puma_http11/http11_parser.rl"
@@ -438,9 +446,16 @@ st19:
 	if ( ++p == pe )
 		goto _test_eof19;
 case 19:
-#line 442 "ext/puma_http11/http11_parser.c"
-	if ( (*p) == 13 )
-		goto tr29;
+#line 448 "ext/puma_http11/http11_parser.c"
+	switch( (*p) ) {
+		case 13: goto tr29;
+		case 127: goto st0;
+	}
+	if ( (*p) > 8 ) {
+		if ( 10 <= (*p) && (*p) <= 31 )
+			goto st0;
+	} else if ( (*p) >= 0 )
+		goto st0;
 	goto st19;
 tr9:
 #line 51 "ext/puma_http11/http11_parser.rl"
@@ -484,7 +499,7 @@ st20:
 	if ( ++p == pe )
 		goto _test_eof20;
 case 20:
-#line 488 "ext/puma_http11/http11_parser.c"
+#line 501 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr31;
 		case 60: goto st0;
@@ -505,7 +520,7 @@ st21:
 	if ( ++p == pe )
 		goto _test_eof21;
 case 21:
-#line 509 "ext/puma_http11/http11_parser.c"
+#line 522 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr33;
 		case 60: goto st0;
@@ -526,7 +541,7 @@ st22:
 	if ( ++p == pe )
 		goto _test_eof22;
 case 22:
-#line 530 "ext/puma_http11/http11_parser.c"
+#line 543 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 43: goto st22;
 		case 58: goto st23;
@@ -551,7 +566,7 @@ st23:
 	if ( ++p == pe )
 		goto _test_eof23;
 case 23:
-#line 555 "ext/puma_http11/http11_parser.c"
+#line 568 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr8;
 		case 34: goto st0;
@@ -571,7 +586,7 @@ st24:
 	if ( ++p == pe )
 		goto _test_eof24;
 case 24:
-#line 575 "ext/puma_http11/http11_parser.c"
+#line 588 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr37;
 		case 34: goto st0;
@@ -594,7 +609,7 @@ st25:
 	if ( ++p == pe )
 		goto _test_eof25;
 case 25:
-#line 598 "ext/puma_http11/http11_parser.c"
+#line 611 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr41;
 		case 34: goto st0;
@@ -614,7 +629,7 @@ st26:
 	if ( ++p == pe )
 		goto _test_eof26;
 case 26:
-#line 618 "ext/puma_http11/http11_parser.c"
+#line 631 "ext/puma_http11/http11_parser.c"
 	switch( (*p) ) {
 		case 32: goto tr44;
 		case 34: goto st0;

data/ext/puma_http11/http11_parser.rl

@@ -12,12 +12,14 @@
 
 /*
  * capitalizes all lower-case ASCII characters,
- * converts dashes to underscores.
+ * converts dashes to underscores, and underscores to commas.
  */
 static void snake_upcase_char(char *c)
 {
     if (*c >= 'a' && *c <= 'z')
       *c &= ~0x20;
+    else if (*c == '_')
+      *c = ',';
     else if (*c == '-')
       *c = '_';
 }

data/ext/puma_http11/http11_parser_common.rl

@@ -43,7 +43,7 @@
 
   field_name = ( token -- ":" )+ >start_field $snake_upcase_field %write_field;
 
-  field_value = any* >start_value %write_value;
+  field_value = ( (any -- CTL) | "\t" )* >start_value %write_value;
 
   message_header = field_name ":" " "* field_value :> CRLF;
 

data/ext/puma_http11/org/jruby/puma/Http11Parser.java

@@ -34,9 +34,9 @@ private static short[] init__puma_parser_key_offsets_0()
 {
 	return new short [] {
 	    0,    0,    8,   17,   27,   29,   30,   31,   32,   33,   34,   36,
-	   39,   41,   44,   45,   61,   62,   78,   80,   81,   89,   97,  107,
-	  115,  124,  132,  140,  149,  158,  167,  176,  185,  194,  203,  212,
-	  221,  230,  239,  248,  257,  266,  275,  284,  293,  302,  303
+	   39,   41,   44,   45,   61,   62,   78,   85,   91,   99,  107,  117,
+	  125,  134,  142,  150,  159,  168,  177,  186,  195,  204,  213,  222,
+	  231,  240,  249,  258,  267,  276,  285,  294,  303,  312,  313
 	};
 }
 
@@ -52,26 +52,27 @@ private static char[] init__puma_parser_trans_keys_0()
 	   46,   48,   57,   48,   57,   13,   48,   57,   10,   13,   33,  124,
 	  126,   35,   39,   42,   43,   45,   46,   48,   57,   65,   90,   94,
 	  122,   10,   33,   58,  124,  126,   35,   39,   42,   43,   45,   46,
-	   48,   57,   65,   90,   94,  122,   13,   32,   13,   32,   60,   62,
-	  127,    0,   31,   34,   35,   32,   60,   62,  127,    0,   31,   34,
-	   35,   43,   58,   45,   46,   48,   57,   65,   90,   97,  122,   32,
-	   34,   35,   60,   62,  127,    0,   31,   32,   34,   35,   60,   62,
-	   63,  127,    0,   31,   32,   34,   35,   60,   62,  127,    0,   31,
-	   32,   34,   35,   60,   62,  127,    0,   31,   32,   36,   95,   45,
-	   46,   48,   57,   65,   90,   32,   36,   95,   45,   46,   48,   57,
-	   65,   90,   32,   36,   95,   45,   46,   48,   57,   65,   90,   32,
-	   36,   95,   45,   46,   48,   57,   65,   90,   32,   36,   95,   45,
-	   46,   48,   57,   65,   90,   32,   36,   95,   45,   46,   48,   57,
-	   65,   90,   32,   36,   95,   45,   46,   48,   57,   65,   90,   32,
-	   36,   95,   45,   46,   48,   57,   65,   90,   32,   36,   95,   45,
-	   46,   48,   57,   65,   90,   32,   36,   95,   45,   46,   48,   57,
-	   65,   90,   32,   36,   95,   45,   46,   48,   57,   65,   90,   32,
-	   36,   95,   45,   46,   48,   57,   65,   90,   32,   36,   95,   45,
-	   46,   48,   57,   65,   90,   32,   36,   95,   45,   46,   48,   57,
-	   65,   90,   32,   36,   95,   45,   46,   48,   57,   65,   90,   32,
-	   36,   95,   45,   46,   48,   57,   65,   90,   32,   36,   95,   45,
-	   46,   48,   57,   65,   90,   32,   36,   95,   45,   46,   48,   57,
-	   65,   90,   32,    0
+	   48,   57,   65,   90,   94,  122,   13,   32,  127,    0,    8,   10,
+	   31,   13,  127,    0,    8,   10,   31,   32,   60,   62,  127,    0,
+	   31,   34,   35,   32,   60,   62,  127,    0,   31,   34,   35,   43,
+	   58,   45,   46,   48,   57,   65,   90,   97,  122,   32,   34,   35,
+	   60,   62,  127,    0,   31,   32,   34,   35,   60,   62,   63,  127,
+	    0,   31,   32,   34,   35,   60,   62,  127,    0,   31,   32,   34,
+	   35,   60,   62,  127,    0,   31,   32,   36,   95,   45,   46,   48,
+	   57,   65,   90,   32,   36,   95,   45,   46,   48,   57,   65,   90,
+	   32,   36,   95,   45,   46,   48,   57,   65,   90,   32,   36,   95,
+	   45,   46,   48,   57,   65,   90,   32,   36,   95,   45,   46,   48,
+	   57,   65,   90,   32,   36,   95,   45,   46,   48,   57,   65,   90,
+	   32,   36,   95,   45,   46,   48,   57,   65,   90,   32,   36,   95,
+	   45,   46,   48,   57,   65,   90,   32,   36,   95,   45,   46,   48,
+	   57,   65,   90,   32,   36,   95,   45,   46,   48,   57,   65,   90,
+	   32,   36,   95,   45,   46,   48,   57,   65,   90,   32,   36,   95,
+	   45,   46,   48,   57,   65,   90,   32,   36,   95,   45,   46,   48,
+	   57,   65,   90,   32,   36,   95,   45,   46,   48,   57,   65,   90,
+	   32,   36,   95,   45,   46,   48,   57,   65,   90,   32,   36,   95,
+	   45,   46,   48,   57,   65,   90,   32,   36,   95,   45,   46,   48,
+	   57,   65,   90,   32,   36,   95,   45,   46,   48,   57,   65,   90,
+	   32,    0
 	};
 }
 
@@ -82,7 +83,7 @@ private static byte[] init__puma_parser_single_lengths_0()
 {
 	return new byte [] {
 	    0,    2,    3,    4,    2,    1,    1,    1,    1,    1,    0,    1,
-	    0,    1,    1,    4,    1,    4,    2,    1,    4,    4,    2,    6,
+	    0,    1,    1,    4,    1,    4,    3,    2,    4,    4,    2,    6,
 	    7,    6,    6,    3,    3,    3,    3,    3,    3,    3,    3,    3,
 	    3,    3,    3,    3,    3,    3,    3,    3,    3,    1,    0
 	};
@@ -95,7 +96,7 @@ private static byte[] init__puma_parser_range_lengths_0()
 {
 	return new byte [] {
 	    0,    3,    3,    3,    0,    0,    0,    0,    0,    0,    1,    1,
-	    1,    1,    0,    6,    0,    6,    0,    0,    2,    2,    4,    1,
+	    1,    1,    0,    6,    0,    6,    2,    2,    2,    2,    4,    1,
 	    1,    1,    1,    3,    3,    3,    3,    3,    3,    3,    3,    3,
 	    3,    3,    3,    3,    3,    3,    3,    3,    3,    0,    0
 	};
@@ -108,9 +109,9 @@ private static short[] init__puma_parser_index_offsets_0()
 {
 	return new short [] {
 	    0,    0,    6,   13,   21,   24,   26,   28,   30,   32,   34,   36,
-	   39,   41,   44,   46,   57,   59,   70,   73,   75,   82,   89,   96,
-	  104,  113,  121,  129,  136,  143,  150,  157,  164,  171,  178,  185,
-	  192,  199,  206,  213,  220,  227,  234,  241,  248,  255,  257
+	   39,   41,   44,   46,   57,   59,   70,   76,   81,   88,   95,  102,
+	  110,  119,  127,  135,  142,  149,  156,  163,  170,  177,  184,  191,
+	  198,  205,  212,  219,  226,  233,  240,  247,  254,  261,  263
 	};
 }
 
@@ -126,22 +127,23 @@ private static byte[] init__puma_parser_indicies_0()
 	   16,   15,    1,   17,    1,   18,   17,    1,   19,    1,   20,   21,
 	   21,   21,   21,   21,   21,   21,   21,   21,    1,   22,    1,   23,
 	   24,   23,   23,   23,   23,   23,   23,   23,   23,    1,   26,   27,
-	   25,   29,   28,   30,    1,    1,    1,    1,    1,   31,   32,    1,
-	    1,    1,    1,    1,   33,   34,   35,   34,   34,   34,   34,    1,
-	    8,    1,    9,    1,    1,    1,    1,   35,   36,    1,   38,    1,
-	    1,   39,    1,    1,   37,   40,    1,   42,    1,    1,    1,    1,
-	   41,   43,    1,   45,    1,    1,    1,    1,   44,    2,   46,   46,
-	   46,   46,   46,    1,    2,   47,   47,   47,   47,   47,    1,    2,
-	   48,   48,   48,   48,   48,    1,    2,   49,   49,   49,   49,   49,
-	    1,    2,   50,   50,   50,   50,   50,    1,    2,   51,   51,   51,
-	   51,   51,    1,    2,   52,   52,   52,   52,   52,    1,    2,   53,
-	   53,   53,   53,   53,    1,    2,   54,   54,   54,   54,   54,    1,
-	    2,   55,   55,   55,   55,   55,    1,    2,   56,   56,   56,   56,
-	   56,    1,    2,   57,   57,   57,   57,   57,    1,    2,   58,   58,
-	   58,   58,   58,    1,    2,   59,   59,   59,   59,   59,    1,    2,
-	   60,   60,   60,   60,   60,    1,    2,   61,   61,   61,   61,   61,
-	    1,    2,   62,   62,   62,   62,   62,    1,    2,   63,   63,   63,
-	   63,   63,    1,    2,    1,    1,    0
+	    1,    1,    1,   25,   29,    1,    1,    1,   28,   30,    1,    1,
+	    1,    1,    1,   31,   32,    1,    1,    1,    1,    1,   33,   34,
+	   35,   34,   34,   34,   34,    1,    8,    1,    9,    1,    1,    1,
+	    1,   35,   36,    1,   38,    1,    1,   39,    1,    1,   37,   40,
+	    1,   42,    1,    1,    1,    1,   41,   43,    1,   45,    1,    1,
+	    1,    1,   44,    2,   46,   46,   46,   46,   46,    1,    2,   47,
+	   47,   47,   47,   47,    1,    2,   48,   48,   48,   48,   48,    1,
+	    2,   49,   49,   49,   49,   49,    1,    2,   50,   50,   50,   50,
+	   50,    1,    2,   51,   51,   51,   51,   51,    1,    2,   52,   52,
+	   52,   52,   52,    1,    2,   53,   53,   53,   53,   53,    1,    2,
+	   54,   54,   54,   54,   54,    1,    2,   55,   55,   55,   55,   55,
+	    1,    2,   56,   56,   56,   56,   56,    1,    2,   57,   57,   57,
+	   57,   57,    1,    2,   58,   58,   58,   58,   58,    1,    2,   59,
+	   59,   59,   59,   59,    1,    2,   60,   60,   60,   60,   60,    1,
+	    2,   61,   61,   61,   61,   61,    1,    2,   62,   62,   62,   62,
+	   62,    1,    2,   63,   63,   63,   63,   63,    1,    2,    1,    1,
+	    0
 	};
 }
 
@@ -217,7 +219,7 @@ static final int puma_parser_en_main = 1;
 	cs = puma_parser_start;
 	}
 
-// line 90 "ext/puma_http11/http11_parser.java.rl"
+// line 88 "ext/puma_http11/http11_parser.java.rl"
 
           body_start = 0;
           content_len = 0;
@@ -420,7 +422,7 @@ case 5:
 	break; }
 	}
 
-// line 116 "ext/puma_http11/http11_parser.java.rl"
+// line 114 "ext/puma_http11/http11_parser.java.rl"
 
      parser.cs = cs;
      parser.nread += (p - off);

data/ext/puma_http11/puma_http11.c

@@ -10,6 +10,7 @@
 #include "ext_help.h"
 #include <assert.h>
 #include <string.h>
+#include <ctype.h>
 #include "http11_parser.h"
 
 #ifndef MANAGED_STRINGS

data/lib/puma/app/status.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'json'
-
 module Puma
   module App
     # Check out {#call}'s source code to see what actions this web application
@@ -19,6 +17,10 @@ module Puma
           return rack_response(403, 'Invalid auth token', 'text/plain')
         end
 
+        if env['PATH_INFO'] =~ /\/(gc-stats|stats|thread-backtraces)$/
+          require 'json'
+        end
+
         case env['PATH_INFO']
         when /\/stop$/
           @cli.stop

data/lib/puma/client.rb

@@ -153,7 +153,7 @@ module Puma
 
       begin
         data = @io.read_nonblock(CHUNK_SIZE)
-      rescue Errno::EAGAIN
+      rescue IO::WaitReadable
         return false
       rescue SystemCallError, IOError, EOFError
         raise ConnectionError, "Connection error detected during read"
@@ -285,8 +285,16 @@ module Puma
 
       te = @env[TRANSFER_ENCODING2]
 
-      if te && CHUNKED.casecmp(te) == 0
-        return setup_chunked_body(body)
+      if te
+        if te.include?(",")
+          te.split(",").each do |part|
+            if CHUNKED.casecmp(part.strip) == 0
+              return setup_chunked_body(body)
+            end
+          end
+        elsif CHUNKED.casecmp(te) == 0
+          return setup_chunked_body(body)
+        end
       end
 
       @chunked_body = false
@@ -343,7 +351,7 @@ module Puma
 
       begin
         chunk = @io.read_nonblock(want)
-      rescue Errno::EAGAIN
+      rescue IO::WaitReadable
         return false
       rescue SystemCallError, IOError
         raise ConnectionError, "Connection error detected during read"
@@ -389,7 +397,10 @@ module Puma
           raise EOFError
         end
 
-        return true if decode_chunk(chunk)
+        if decode_chunk(chunk)
+          @env[CONTENT_LENGTH] = @chunked_content_length
+          return true
+        end
       end
     end
 
@@ -402,19 +413,28 @@ module Puma
       @body.binmode
       @tempfile = @body
 
-      return decode_chunk(body)
+      @chunked_content_length = 0
+
+      if decode_chunk(body)
+        @env[CONTENT_LENGTH] = @chunked_content_length
+        return true
+      end
+    end
+
+    def write_chunk(str)
+      @chunked_content_length += @body.write(str)
     end
 
     def decode_chunk(chunk)
       if @partial_part_left > 0
         if @partial_part_left <= chunk.size
           if @partial_part_left > 2
-            @body << chunk[0..(@partial_part_left-3)] # skip the \r\n
+            write_chunk(chunk[0..(@partial_part_left-3)]) # skip the \r\n
           end
           chunk = chunk[@partial_part_left..-1]
           @partial_part_left = 0
         else
-          @body << chunk if @partial_part_left > 2 # don't include the last \r\n
+          write_chunk(chunk) if @partial_part_left > 2 # don't include the last \r\n
           @partial_part_left -= chunk.size
           return false
         end
@@ -461,12 +481,12 @@ module Puma
 
           case
           when got == len
-            @body << part[0..-3] # to skip the ending \r\n
+            write_chunk(part[0..-3]) # to skip the ending \r\n
           when got <= len - 2
-            @body << part
+            write_chunk(part)
             @partial_part_left = len - part.size
           when got == len - 1 # edge where we get just \r but not \n
-            @body << part[0..-2]
+            write_chunk(part[0..-2])
             @partial_part_left = len - part.size
           end
         else

data/lib/puma/const.rb

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "4.3.0".freeze
+    PUMA_VERSION = VERSION = "4.3.11".freeze
     CODE_NAME = "Mysterious Traveller".freeze
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
 
@@ -118,6 +118,13 @@ module Puma
     # sending data back
     WRITE_TIMEOUT = 10
 
+    # How many requests to attempt inline before sending a client back to
+    # the reactor to be subject to normal ordering. The idea here is that
+    # we amortize the cost of going back to the reactor for a well behaved
+    # but very "greedy" client across 10 requests. This prevents a not
+    # well behaved client from monopolizing the thread forever.
+    MAX_FAST_INLINE = 10
+
     # The original URI requested by the client.
     REQUEST_URI= 'REQUEST_URI'.freeze
     REQUEST_PATH = 'REQUEST_PATH'.freeze
@@ -221,6 +228,7 @@ module Puma
     COLON = ": ".freeze
 
     NEWLINE = "\n".freeze
+    HTTP_INJECTION_REGEX = /[\r\n]/.freeze
 
     HIJACK_P = "rack.hijack?".freeze
     HIJACK = "rack.hijack".freeze

data/lib/puma/server.rb

@@ -466,6 +466,8 @@ module Puma
         clean_thread_locals = @options[:clean_thread_locals]
         close_socket = true
 
+        requests = 0
+
         while true
           case handle_request(client, buffer)
           when false
@@ -479,7 +481,24 @@ module Puma
 
             ThreadPool.clean_thread_locals if clean_thread_locals
 
-            unless client.reset(@status == :run)
+            requests += 1
+
+            # Closing keepalive sockets after they've made a reasonable
+            # number of requests allows Puma to service many connections
+            # fairly, even when the number of concurrent connections exceeds
+            # the size of the threadpool. It also allows cluster mode Pumas
+            # to keep load evenly distributed across workers, because clients
+            # are randomly assigned a new worker when opening a new connection.
+            #
+            # Previously, Puma would kick connections in this conditional back
+            # to the reactor. However, because this causes the todo set to increase
+            # in size, the wait_until_full mutex would never unlock, leaving
+            # any additional connections unserviced.
+            break if requests >= MAX_FAST_INLINE
+
+            check_for_more_data = @status == :run
+
+            unless client.reset(check_for_more_data)
               close_socket = false
               client.set_timeout @persistent_timeout
               @reactor.add client
@@ -643,6 +662,7 @@ module Puma
             headers.each_pair do |k, vs|
               if vs.respond_to?(:to_s) && !vs.to_s.empty?
                 vs.to_s.split(NEWLINE).each do |v|
+                  next if possible_header_injection?(v)
                   fast_write client, "#{k}: #{v}\r\n"
                 end
               else
@@ -657,6 +677,37 @@ module Puma
         }
       end
 
+      # Fixup any headers with , in the name to have _ now. We emit
+      # headers with , in them during the parse phase to avoid ambiguity
+      # with the - to _ conversion for critical headers. But here for
+      # compatibility, we'll convert them back. This code is written to
+      # avoid allocation in the common case (ie there are no headers
+      # with , in their names), that's why it has the extra conditionals.
+
+      to_delete = nil
+      to_add = nil
+
+      env.each do |k,v|
+        if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
+          if to_delete
+            to_delete << k
+          else
+            to_delete = [k]
+          end
+
+          unless to_add
+            to_add = {}
+          end
+
+          to_add[k.tr(",", "_")] = v
+        end
+      end
+
+      if to_delete
+        to_delete.each { |k| env.delete(k) }
+        env.merge! to_add
+      end
+
       # A rack extension. If the app writes #call'ables to this
       # array, we will invoke them when the request is done.
       #
@@ -744,6 +795,7 @@ module Puma
         headers.each do |k, vs|
           case k.downcase
           when CONTENT_LENGTH2
+            next if possible_header_injection?(vs)
             content_length = vs
             next
           when TRANSFER_ENCODING
@@ -756,6 +808,7 @@ module Puma
 
           if vs.respond_to?(:to_s) && !vs.to_s.empty?
             vs.to_s.split(NEWLINE).each do |v|
+              next if possible_header_injection?(v)
               lines.append k, colon, v, line_ending
             end
           else
@@ -820,11 +873,14 @@ module Puma
         end
 
       ensure
-        uncork_socket client
+        begin
+          uncork_socket client
 
-        body.close
-        req.tempfile.unlink if req.tempfile
-        res_body.close if res_body.respond_to? :close
+          body.close
+          req.tempfile.unlink if req.tempfile
+        ensure
+          res_body.close if res_body.respond_to? :close
+        end
 
         after_reply.each { |o| o.call }
       end
@@ -1026,5 +1082,10 @@ module Puma
     def shutting_down?
       @status == :stop || @status == :restart
     end
+
+    def possible_header_injection?(header_value)
+      HTTP_INJECTION_REGEX =~ header_value.to_s
+    end
+    private :possible_header_injection?
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 4.3.0
+  version: 4.3.11
 platform: ruby
 authors:
 - Evan Phoenix
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-11-07 00:00:00.000000000 Z
+date: 1980-01-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nio4r
@@ -121,7 +121,7 @@ licenses:
 metadata:
   msys2_mingw_dependencies: openssl
   changelog_uri: https://github.com/puma/puma/blob/master/History.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -136,8 +136,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.2.26
+signing_key:
 specification_version: 4
 summary: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for
   Ruby/Rack applications