puma 4.3.1-java → 4.3.3-java

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puma might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: aa5c4775b6154a8fda14a3a8dc2004cac2be0f81d1114e23a558e9d625a3eb89
4
- data.tar.gz: fc66d17895f167abb2eb59a299f50880d3b4c79f80f405d2427bb8d46ed853f9
3
+ metadata.gz: 74024757af24c86b43fdd7360b8f8177fedfa1fb75b34f128175b16e12c4e20b
4
+ data.tar.gz: 708c5433d1f023d23c0eda449f62294283caafbb77fcd4250f814aa5bba1d160
5
5
  SHA512:
6
- metadata.gz: f1db3eeddfcf8abd56c5d34d58a6f4f7485c435bc79036305b0ce69a0b0a5263a7ea543119c335726c368f405bb3f3c58e40206dbe4aa027a95744b136245d74
7
- data.tar.gz: d2e2229abb66f44c7811be9d7ef8c771943189b9af7a9719034bf0d50cebedea819d3428b0d1d53bb4b3d7d2d1d919562c9d6e3c885fca7c2f6d9aa2b6e67152
6
+ metadata.gz: b9411791854d704f8be4f8df38b212cf021eb3e3c9c82c2ab71230271fb053c81219229fec9f4973f8d4cbd632b3ab9f7cace5e81c883147d7f823cfe59694a4
7
+ data.tar.gz: 4964f5bc6d0f921f28d7526b9313d80e7a90119fce7e74c325f3540055e7e7b797fb985d49e9a21cb8f9f04a883f0a64804e2cba364899047b261d7f55164e62
data/History.md CHANGED
@@ -6,6 +6,18 @@
6
6
  * Bugfixes
7
7
  * Your bugfix goes here (#Github Number)
8
8
 
9
+
10
+ ## 4.3.3 and 3.12.4 / 2020-02-28
11
+ * Bugfixes
12
+ * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
13
+ * Security
14
+ * Fix: Prevent HTTP Response splitting via CR in early hints.
15
+
16
+ ## 4.3.2 and 3.12.3 / 2020-02-27
17
+
18
+ * Security
19
+ * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
20
+
9
21
  ## 4.3.1 and 3.12.2 / 2019-12-05
10
22
 
11
23
  * Security
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "4.3.1".freeze
103
+ PUMA_VERSION = VERSION = "4.3.3".freeze
104
104
  CODE_NAME = "Mysterious Traveller".freeze
105
105
  PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
106
106
 
@@ -228,6 +228,7 @@ module Puma
228
228
  COLON = ": ".freeze
229
229
 
230
230
  NEWLINE = "\n".freeze
231
+ HTTP_INJECTION_REGEX = /[\r\n]/.freeze
231
232
 
232
233
  HIJACK_P = "rack.hijack?".freeze
233
234
  HIJACK = "rack.hijack".freeze
Binary file
@@ -657,6 +657,7 @@ module Puma
657
657
  headers.each_pair do |k, vs|
658
658
  if vs.respond_to?(:to_s) && !vs.to_s.empty?
659
659
  vs.to_s.split(NEWLINE).each do |v|
660
+ next if possible_header_injection?(v)
660
661
  fast_write client, "#{k}: #{v}\r\n"
661
662
  end
662
663
  else
@@ -758,6 +759,7 @@ module Puma
758
759
  headers.each do |k, vs|
759
760
  case k.downcase
760
761
  when CONTENT_LENGTH2
762
+ next if possible_header_injection?(vs)
761
763
  content_length = vs
762
764
  next
763
765
  when TRANSFER_ENCODING
@@ -770,6 +772,7 @@ module Puma
770
772
 
771
773
  if vs.respond_to?(:to_s) && !vs.to_s.empty?
772
774
  vs.to_s.split(NEWLINE).each do |v|
775
+ next if possible_header_injection?(v)
773
776
  lines.append k, colon, v, line_ending
774
777
  end
775
778
  else
@@ -1040,5 +1043,10 @@ module Puma
1040
1043
  def shutting_down?
1041
1044
  @status == :stop || @status == :restart
1042
1045
  end
1046
+
1047
+ def possible_header_injection?(header_value)
1048
+ HTTP_INJECTION_REGEX =~ header_value.to_s
1049
+ end
1050
+ private :possible_header_injection?
1043
1051
  end
1044
1052
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.3.1
4
+ version: 4.3.3
5
5
  platform: java
6
6
  authors:
7
7
  - Evan Phoenix
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-12-05 00:00:00.000000000 Z
11
+ date: 2020-02-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
@@ -17,8 +17,8 @@ dependencies:
17
17
  - !ruby/object:Gem::Version
18
18
  version: '2.0'
19
19
  name: nio4r
20
- prerelease: false
21
20
  type: :runtime
21
+ prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"