puma 4.3.1 → 4.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0c3e9fdfe5225baf88ff5ee9ec6f58201a220a482d72e5217309964a22b7ccc0
-  data.tar.gz: 541ad3a7311662ca31e3de234870b03d6aac3eb925c8ad04e7a857bac097edc8
+  metadata.gz: bd20b1ca1b6236f1b1677f9bc40f4ea8f980ae678e1f57e6b20987d2322f7f4a
+  data.tar.gz: bb416036092bb4657a4f30dda5c72dc6a9ff8dda391e41950f7ece18230a4a5f
 SHA512:
-  metadata.gz: 8dc3a1d604212819aa8dc549b767cf00e3c237c95f0053ec61f6750666097980a1fbd2c350b1c47e59a1047d1a0bb35451914629f2829a66ded20a930939a60e
-  data.tar.gz: f906230de96dd55841faaf6968939b4a096acb9933e91b34c8aada201e1c5e259c567ce8dce744490093072f6cb9d9553b7d83752e07ec7502973c72990563d4
+  metadata.gz: d6ce2871efeed834b717174a744ac45db359efd9969efb51b13a83f260d01def32d25fe3ac91a9a0f99483c054c89f4c40aaef988e2a7b46cb9cb54201200abc
+  data.tar.gz: c55618f49982d8c1a9161a4b8bce15878b75b960c9a28fb49c81d8934336c22023608082ba649414767d67a59436d580a12719660fa8710174dcb59823bb935d

data/History.md

@@ -6,6 +6,18 @@
 * Bugfixes
   * Your bugfix goes here (#Github Number)
 
+
+## 4.3.3 and 3.12.4 / 2020-02-28
+  * Bugfixes
+    * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
+  * Security
+    * Fix: Prevent HTTP Response splitting via CR in early hints.
+
+## 4.3.2 and 3.12.3 / 2020-02-27
+
+* Security
+  * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
+
 ## 4.3.1 and 3.12.2 / 2019-12-05
 
 * Security

data/lib/puma/const.rb

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "4.3.1".freeze
+    PUMA_VERSION = VERSION = "4.3.3".freeze
     CODE_NAME = "Mysterious Traveller".freeze
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
 
@@ -228,6 +228,7 @@ module Puma
     COLON = ": ".freeze
 
     NEWLINE = "\n".freeze
+    HTTP_INJECTION_REGEX = /[\r\n]/.freeze
 
     HIJACK_P = "rack.hijack?".freeze
     HIJACK = "rack.hijack".freeze

data/lib/puma/server.rb

@@ -657,6 +657,7 @@ module Puma
             headers.each_pair do |k, vs|
               if vs.respond_to?(:to_s) && !vs.to_s.empty?
                 vs.to_s.split(NEWLINE).each do |v|
+                  next if possible_header_injection?(v)
                   fast_write client, "#{k}: #{v}\r\n"
                 end
               else
@@ -758,6 +759,7 @@ module Puma
         headers.each do |k, vs|
           case k.downcase
           when CONTENT_LENGTH2
+            next if possible_header_injection?(vs)
             content_length = vs
             next
           when TRANSFER_ENCODING
@@ -770,6 +772,7 @@ module Puma
 
           if vs.respond_to?(:to_s) && !vs.to_s.empty?
             vs.to_s.split(NEWLINE).each do |v|
+              next if possible_header_injection?(v)
               lines.append k, colon, v, line_ending
             end
           else
@@ -1040,5 +1043,10 @@ module Puma
     def shutting_down?
       @status == :stop || @status == :restart
     end
+
+    def possible_header_injection?(header_value)
+      HTTP_INJECTION_REGEX =~ header_value.to_s
+    end
+    private :possible_header_injection?
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 4.3.1
+  version: 4.3.3
 platform: ruby
 authors:
 - Evan Phoenix
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-05 00:00:00.000000000 Z
+date: 2020-02-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nio4r
@@ -136,7 +136,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for