puma 4.3.1 → 5.0.0

data/lib/puma/minissl.rb

@@ -5,8 +5,18 @@ begin
 rescue LoadError
 end
 
+# need for Puma::MiniSSL::OPENSSL constants used in `HAS_TLS1_3`
+require 'puma/puma_http11'
+
 module Puma
   module MiniSSL
+    # Define constant at runtime, as it's easy to determine at built time,
+    # but Puma could (it shouldn't) be loaded with an older OpenSSL version
+    # @version 5.0.0
+    HAS_TLS1_3 = !IS_JRUBY &&
+      (OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
+      (OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1
+
     class Socket
       def initialize(socket, engine)
         @socket = socket
@@ -22,6 +32,26 @@ module Puma
         @socket.closed?
       end
 
+      # Returns a two element array,
+      # first is protocol version (SSL_get_version),
+      # second is 'handshake' state (SSL_state_string)
+      #
+      # Used for dropping tcp connections to ssl.
+      # See OpenSSL ssl/ssl_stat.c SSL_state_string for info
+      # @version 5.0.0
+      #
+      def ssl_version_state
+        IS_JRUBY ? [nil, nil] : @engine.ssl_vers_st
+      end
+
+      # Used to check the handshake status, in particular when a TCP connection
+      # is made with TLSv1.3 as an available protocol
+      # @version 5.0.0
+      def bad_tlsv1_3?
+        HAS_TLS1_3 && @engine.ssl_vers_st == ['TLSv1.3', 'SSLERR']
+      end
+      private :bad_tlsv1_3?
+
       def readpartial(size)
         while true
           output = @engine.read
@@ -41,6 +71,7 @@ module Puma
 
       def engine_read_all
         output = @engine.read
+        raise SSLError.exception "HTTP connection?" if bad_tlsv1_3?
         while output and additional_output = @engine.read
           output << additional_output
         end
@@ -107,14 +138,18 @@ module Puma
       alias_method :<<, :write
 
       # This is a temporary fix to deal with websockets code using
-      # write_nonblock. The problem with implementing it properly
+      # write_nonblock.
+
+      # The problem with implementing it properly
       # is that it means we'd have to have the ability to rewind
       # an engine because after we write+extract, the socket
       # write_nonblock call might raise an exception and later
       # code would pass the same data in, but the engine would think
-      # it had already written the data in. So for the time being
-      # (and since write blocking is quite rare), go ahead and actually
-      # block in write_nonblock.
+      # it had already written the data in.
+      #
+      # So for the time being (and since write blocking is quite rare),
+      # go ahead and actually block in write_nonblock.
+      #
       def write_nonblock(data, *_)
         write data
       end
@@ -125,11 +160,14 @@ module Puma
 
       def read_and_drop(timeout = 1)
         return :timeout unless IO.select([@socket], nil, nil, timeout)
-        return :eof unless read_nonblock(1024)
-        :drop
-      rescue Errno::EAGAIN
-        # do nothing
-        :eagain
+        case @socket.read_nonblock(1024, exception: false)
+        when nil
+          :eof
+        when :wait_readable
+          :eagain
+        else
+          :drop
+        end
       end
 
       def should_drop_bytes?
@@ -141,9 +179,7 @@ module Puma
           # Read any drop any partially initialized sockets and any received bytes during shutdown.
           # Don't let this socket hold this loop forever.
           # If it can't send more packets within 1s, then give up.
-          while should_drop_bytes?
-            return if [:timeout, :eof].include?(read_and_drop(1))
-          end
+          return if [:timeout, :eof].include?(read_and_drop(1)) while should_drop_bytes?
         rescue IOError, SystemCallError
           Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
           # nothing
@@ -166,12 +202,13 @@ module Puma
       end
     end
 
-    if defined?(JRUBY_VERSION)
+    if IS_JRUBY
+      OPENSSL_NO_SSL3 = false
+      OPENSSL_NO_TLS1 = false
+
       class SSLError < StandardError
         # Define this for jruby even though it isn't used.
       end
-
-      def self.check; end
     end
 
     class Context
@@ -183,7 +220,7 @@ module Puma
         @no_tlsv1_1 = false
       end
 
-      if defined?(JRUBY_VERSION)
+      if IS_JRUBY
         # jruby-specific Context properties: java uses a keystore and password pair rather than a cert/key pair
         attr_reader :keystore
         attr_accessor :keystore_pass
@@ -228,13 +265,13 @@ module Puma
 
       # disables TLSv1
       def no_tlsv1=(tlsv1)
-        raise ArgumentError, "Invalid value of no_tlsv1" unless ['true', 'false', true, false].include?(tlsv1)
+        raise ArgumentError, "Invalid value of no_tlsv1=" unless ['true', 'false', true, false].include?(tlsv1)
         @no_tlsv1 = tlsv1
       end
 
       # disables TLSv1 and TLSv1.1.  Overrides `#no_tlsv1=`
       def no_tlsv1_1=(tlsv1_1)
-        raise ArgumentError, "Invalid value of no_tlsv1" unless ['true', 'false', true, false].include?(tlsv1_1)
+        raise ArgumentError, "Invalid value of no_tlsv1_1=" unless ['true', 'false', true, false].include?(tlsv1_1)
         @no_tlsv1_1 = tlsv1_1
       end
 
@@ -270,6 +307,11 @@ module Puma
         Socket.new io, engine
       end
 
+      # @version 5.0.0
+      def addr
+        @socket.addr
+      end
+
       def close
         @socket.close unless @socket.closed?       # closed? call is for Windows
       end

data/lib/puma/minissl/context_builder.rb

@@ -2,9 +2,6 @@ module Puma
   module MiniSSL
     class ContextBuilder
       def initialize(params, events)
-        require 'puma/minissl'
-        MiniSSL.check
-
         @params = params
         @events = events
       end

data/lib/puma/null_io.rb

@@ -15,7 +15,7 @@ module Puma
     # Mimics IO#read with no data.
     #
     def read(count = nil, _buffer = nil)
-      (count && count > 0) ? nil : ""
+      count && count > 0 ? nil : ""
     end
 
     def rewind

data/lib/puma/plugin.rb

@@ -10,7 +10,7 @@ module Puma
 
     def create(name)
       if cls = Plugins.find(name)
-        plugin = cls.new(Plugin)
+        plugin = cls.new
         @instances << plugin
         return plugin
       end
@@ -104,17 +104,8 @@ module Puma
       Plugins.register name, cls
     end
 
-    def initialize(loader)
-      @loader = loader
-    end
-
     def in_background(&blk)
       Plugins.add_background blk
     end
-
-    def workers_supported?
-      return false if Puma.jruby? || Puma.windows?
-      true
-    end
   end
 end

data/lib/puma/rack/builder.rb

@@ -67,10 +67,6 @@ module Puma::Rack
           options[:environment] = e
         }
 
-        opts.on("-D", "--daemonize", "run daemonized in the background") { |d|
-          options[:daemonize] = d ? true : false
-        }
-
         opts.on("-P", "--pid FILE", "file to store PID") { |f|
           options[:pid] = ::File.expand_path(f)
         }

data/lib/puma/reactor.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require 'puma/util'
-require 'puma/minissl'
+require 'puma/minissl' if ::Puma::HAS_SSL
 
 require 'nio'
 
@@ -189,7 +189,12 @@ module Puma
                     if submon.value == @ready
                       false
                     else
-                      submon.value.close
+                      if submon.value.can_close?
+                        submon.value.close
+                      else
+                        # Pass remaining open client connections to the thread pool.
+                        @app_pool << submon.value
+                      end
                       begin
                         selector.deregister submon.value
                       rescue IOError
@@ -247,7 +252,7 @@ module Puma
                 c.close
                 clear_monitor mon
 
-                @events.ssl_error @server, addr, cert, e
+                @events.ssl_error e, addr, cert
 
               # The client doesn't know HTTP well
               rescue HttpParserError => e
@@ -258,7 +263,7 @@ module Puma
 
                 clear_monitor mon
 
-                @events.parse_error @server, c.env, e
+                @events.parse_error e, c
               rescue StandardError => e
                 @server.lowlevel_error(e, c.env)
 

data/lib/puma/runner.rb

@@ -2,7 +2,6 @@
 
 require 'puma/server'
 require 'puma/const'
-require 'puma/minissl/context_builder'
 
 module Puma
   # Generic class that is used by `Puma::Cluster` and `Puma::Single` to
@@ -18,10 +17,6 @@ module Puma
       @started_at = Time.now
     end
 
-    def daemon?
-      @options[:daemon]
-    end
-
     def development?
       @options[:environment] == "development"
     end
@@ -34,7 +29,8 @@ module Puma
       @events.log str
     end
 
-    def before_restart
+    # @version 5.0.0
+    def stop_control
       @control.stop(true) if @control
     end
 
@@ -52,8 +48,6 @@ module Puma
 
       require 'puma/app/status'
 
-      uri = URI.parse str
-
       if token = @options[:control_auth_token]
         token = nil if token.empty? || token == 'none'
       end
@@ -64,30 +58,17 @@ module Puma
       control.min_threads = 0
       control.max_threads = 1
 
-      case uri.scheme
-      when "ssl"
-          log "* Starting control server on #{str}"
-          params = Util.parse_query uri.query
-          ctx = MiniSSL::ContextBuilder.new(params, @events).context
-
-          control.add_ssl_listener uri.host, uri.port, ctx
-      when "tcp"
-        log "* Starting control server on #{str}"
-        control.add_tcp_listener uri.host, uri.port
-      when "unix"
-        log "* Starting control server on #{str}"
-        path = "#{uri.host}#{uri.path}"
-        mask = @options[:control_url_umask]
-
-        control.add_unix_listener path, mask
-      else
-        error "Invalid control URI: #{str}"
-      end
+      control.binder.parse [str], self, 'Starting control server'
 
       control.run
       @control = control
     end
 
+    # @version 5.0.0
+    def close_control_listeners
+      @control.binder.close_listeners if @control
+    end
+
     def ruby_engine
       if !defined?(RUBY_ENGINE) || RUBY_ENGINE == "ruby"
         "ruby #{RUBY_VERSION}-p#{RUBY_PATCHLEVEL}"
@@ -108,10 +89,6 @@ module Puma
       log "* Version #{Puma::Const::PUMA_VERSION} (#{ruby_engine}), codename: #{Puma::Const::CODE_NAME}"
       log "* Min threads: #{min_t}, max threads: #{max_t}"
       log "* Environment: #{ENV['RACK_ENV']}"
-
-      if @options[:mode] == :tcp
-        log "* Mode: Lopez Express (tcp)"
-      end
     end
 
     def redirected_io?
@@ -150,7 +127,6 @@ module Puma
         exit 1
       end
 
-      # Load the app before we daemonize.
       begin
         @app = @launcher.config.app
       rescue Exception => e
@@ -174,10 +150,6 @@ module Puma
       server.max_threads = max_t
       server.inherit_binder @launcher.binder
 
-      if @options[:mode] == :tcp
-        server.tcp_mode!
-      end
-
       if @options[:early_hints]
         server.early_hints = true
       end

data/lib/puma/server.rb

@@ -9,10 +9,8 @@ require 'puma/null_io'
 require 'puma/reactor'
 require 'puma/client'
 require 'puma/binder'
-require 'puma/accept_nonblock'
 require 'puma/util'
-
-require 'puma/puma_http11'
+require 'puma/io_buffer'
 
 require 'socket'
 require 'forwardable'
@@ -36,6 +34,7 @@ module Puma
 
     attr_reader :thread
     attr_reader :events
+    attr_reader :requests_count # @version 5.0.0
     attr_accessor :app
 
     attr_accessor :min_threads
@@ -57,8 +56,7 @@ module Puma
       @app = app
       @events = events
 
-      @check, @notify = Puma::Util.pipe
-
+      @check, @notify = nil
       @status = :stop
 
       @min_threads = 0
@@ -85,24 +83,34 @@ module Puma
       @mode = :http
 
       @precheck_closing = true
+
+      @requests_count = 0
     end
 
     attr_accessor :binder, :leak_stack_on_error, :early_hints
 
-    def_delegators :@binder, :add_tcp_listener, :add_ssl_listener, :add_unix_listener, :connected_port
+    def_delegators :@binder, :add_tcp_listener, :add_ssl_listener, :add_unix_listener, :connected_ports
 
     def inherit_binder(bind)
       @binder = bind
     end
 
-    def tcp_mode!
-      @mode = :tcp
+    class << self
+      # :nodoc:
+      # @version 5.0.0
+      def tcp_cork_supported?
+        RbConfig::CONFIG['host_os'] =~ /linux/ &&
+          Socket.const_defined?(:IPPROTO_TCP) &&
+          Socket.const_defined?(:TCP_CORK) &&
+          Socket.const_defined?(:TCP_INFO)
+      end
+      private :tcp_cork_supported?
     end
 
     # On Linux, use TCP_CORK to better control how the TCP stack
     # packetizes our stream. This improves both latency and throughput.
     #
-    if RUBY_PLATFORM =~ /linux/
+    if tcp_cork_supported?
       UNPACK_TCP_STATE_FROM_TCP_INFO = "C".freeze
 
       # 6 == Socket::IPPROTO_TCP
@@ -110,7 +118,7 @@ module Puma
       # 1/0 == turn on/off
       def cork_socket(socket)
         begin
-          socket.setsockopt(6, 3, 1) if socket.kind_of? TCPSocket
+          socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_CORK, 1) if socket.kind_of? TCPSocket
         rescue IOError, SystemCallError
           Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
         end
@@ -118,7 +126,7 @@ module Puma
 
       def uncork_socket(socket)
         begin
-          socket.setsockopt(6, 3, 0) if socket.kind_of? TCPSocket
+          socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_CORK, 0) if socket.kind_of? TCPSocket
         rescue IOError, SystemCallError
           Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
         end
@@ -129,7 +137,7 @@ module Puma
         return false unless @precheck_closing
 
         begin
-          tcp_info = socket.getsockopt(Socket::SOL_TCP, Socket::TCP_INFO)
+          tcp_info = socket.getsockopt(Socket::IPPROTO_TCP, Socket::TCP_INFO)
         rescue IOError, SystemCallError
           Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
           @precheck_closing = false
@@ -172,107 +180,6 @@ module Puma
       @thread_pool and @thread_pool.pool_capacity
     end
 
-    # Lopez Mode == raw tcp apps
-
-    def run_lopez_mode(background=true)
-      @thread_pool = ThreadPool.new(@min_threads,
-                                    @max_threads,
-                                    Hash) do |client, tl|
-
-        io = client.to_io
-        addr = io.peeraddr.last
-
-        if addr.empty?
-          # Set unix socket addrs to localhost
-          addr = "127.0.0.1:0"
-        else
-          addr = "#{addr}:#{io.peeraddr[1]}"
-        end
-
-        env = { 'thread' => tl, REMOTE_ADDR => addr }
-
-        begin
-          @app.call env, client.to_io
-        rescue Object => e
-          STDERR.puts "! Detected exception at toplevel: #{e.message} (#{e.class})"
-          STDERR.puts e.backtrace
-        end
-
-        client.close unless env['detach']
-      end
-
-      @events.fire :state, :running
-
-      if background
-        @thread = Thread.new do
-          Puma.set_thread_name "server"
-          handle_servers_lopez_mode
-        end
-        return @thread
-      else
-        handle_servers_lopez_mode
-      end
-    end
-
-    def handle_servers_lopez_mode
-      begin
-        check = @check
-        sockets = [check] + @binder.ios
-        pool = @thread_pool
-
-        while @status == :run
-          begin
-            ios = IO.select sockets
-            ios.first.each do |sock|
-              if sock == check
-                break if handle_check
-              else
-                begin
-                  if io = sock.accept_nonblock
-                    client = Client.new io, nil
-                    pool << client
-                  end
-                rescue SystemCallError
-                  # nothing
-                rescue Errno::ECONNABORTED
-                  # client closed the socket even before accept
-                  begin
-                    io.close
-                  rescue
-                    Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
-                  end
-                end
-              end
-            end
-          rescue Object => e
-            @events.unknown_error self, e, "Listen loop"
-          end
-        end
-
-        @events.fire :state, @status
-
-        graceful_shutdown if @status == :stop || @status == :restart
-
-      rescue Exception => e
-        STDERR.puts "Exception handling servers: #{e.message} (#{e.class})"
-        STDERR.puts e.backtrace
-      ensure
-        begin
-          @check.close
-        rescue
-          Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
-        end
-
-        # Prevent can't modify frozen IOError (RuntimeError)
-        begin
-          @notify.close
-        rescue IOError
-          # no biggy
-        end
-      end
-
-      @events.fire :state, :done
-    end
     # Runs the server.
     #
     # If +background+ is true (the default) then a thread is spun
@@ -286,15 +193,9 @@ module Puma
 
       @status = :run
 
-      if @mode == :tcp
-        return run_lopez_mode(background)
-      end
-
-      queue_requests = @queue_requests
-
       @thread_pool = ThreadPool.new(@min_threads,
                                     @max_threads,
-                                    IOBuffer) do |client, buffer|
+                                    ::Puma::IOBuffer) do |client, buffer|
 
         # Advertise this server into the thread
         Thread.current[ThreadLocalKey] = self
@@ -302,10 +203,10 @@ module Puma
         process_now = false
 
         begin
-          if queue_requests
+          if @queue_requests
             process_now = client.eagerly_finish
           else
-            client.finish
+            client.finish(@first_data_timeout)
             process_now = true
           end
         rescue MiniSSL::SSLError => e
@@ -315,14 +216,16 @@ module Puma
 
           client.close
 
-          @events.ssl_error self, addr, cert, e
+          @events.ssl_error e, addr, cert
         rescue HttpParserError => e
           client.write_error(400)
           client.close
 
-          @events.parse_error self, client.env, e
-        rescue ConnectionError, EOFError
+          @events.parse_error e, client
+        rescue ConnectionError, EOFError => e
           client.close
+
+          @events.connection_error e, client
         else
           if process_now
             process_client client, buffer
@@ -331,11 +234,14 @@ module Puma
             @reactor.add client
           end
         end
+
+        process_now
       end
 
+      @thread_pool.out_of_band_hook = @options[:out_of_band]
       @thread_pool.clean_thread_locals = @options[:clean_thread_locals]
 
-      if queue_requests
+      if @queue_requests
         @reactor = Reactor.new self, @thread_pool
         @reactor.run_in_thread
       end
@@ -362,6 +268,7 @@ module Puma
     end
 
     def handle_servers
+      @check, @notify = Puma::Util.pipe unless @notify
       begin
         check = @check
         sockets = [check] + @binder.ios
@@ -385,51 +292,49 @@ module Puma
               if sock == check
                 break if handle_check
               else
-                begin
-                  if io = sock.accept_nonblock
-                    client = Client.new io, @binder.env(sock)
-                    if remote_addr_value
-                      client.peerip = remote_addr_value
-                    elsif remote_addr_header
-                      client.remote_addr_header = remote_addr_header
-                    end
-
-                    pool << client
-                    busy_threads = pool.wait_until_not_full
-                    if busy_threads == 0
-                      @options[:out_of_band].each(&:call) if @options[:out_of_band]
-                    end
-                  end
-                rescue SystemCallError
-                  # nothing
-                rescue Errno::ECONNABORTED
-                  # client closed the socket even before accept
-                  begin
-                    io.close
-                  rescue
-                    Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
-                  end
+                pool.wait_until_not_full
+                pool.wait_for_less_busy_worker(
+                  @options[:wait_for_less_busy_worker].to_f)
+
+                io = begin
+                  sock.accept_nonblock
+                rescue IO::WaitReadable
+                  next
+                end
+                client = Client.new io, @binder.env(sock)
+                if remote_addr_value
+                  client.peerip = remote_addr_value
+                elsif remote_addr_header
+                  client.remote_addr_header = remote_addr_header
                 end
+                pool << client
               end
             end
           rescue Object => e
-            @events.unknown_error self, e, "Listen loop"
+            @events.unknown_error e, nil, "Listen loop"
           end
         end
 
         @events.fire :state, @status
 
-        graceful_shutdown if @status == :stop || @status == :restart
         if queue_requests
+          @queue_requests = false
           @reactor.clear!
           @reactor.shutdown
         end
+        graceful_shutdown if @status == :stop || @status == :restart
       rescue Exception => e
-        STDERR.puts "Exception handling servers: #{e.message} (#{e.class})"
-        STDERR.puts e.backtrace
+        @events.unknown_error e, nil, "Exception handling servers"
       ensure
-        @check.close
+        begin
+          @check.close unless @check.closed?
+        rescue Errno::EBADF, RuntimeError
+          # RuntimeError is Ruby 2.2 issue, can't modify frozen IOError
+          # Errno::EBADF is infrequently raised
+        end
         @notify.close
+        @notify = nil
+        @check = nil
       end
 
       @events.fire :state, :done
@@ -476,7 +381,6 @@ module Puma
             close_socket = false
             return
           when true
-            return unless @queue_requests
             buffer.reset
 
             ThreadPool.clean_thread_locals if clean_thread_locals
@@ -494,6 +398,7 @@ module Puma
             end
 
             unless client.reset(check_for_more_data)
+              return unless @queue_requests
               close_socket = false
               client.set_timeout @persistent_timeout
               @reactor.add client
@@ -516,7 +421,7 @@ module Puma
 
         close_socket = true
 
-        @events.ssl_error self, addr, cert, e
+        @events.ssl_error e, addr, cert
 
       # The client doesn't know HTTP well
       rescue HttpParserError => e
@@ -524,7 +429,7 @@ module Puma
 
         client.write_error(400)
 
-        @events.parse_error self, client.env, e
+        @events.parse_error e, client
 
       # Server error
       rescue StandardError => e
@@ -532,8 +437,7 @@ module Puma
 
         client.write_error(500)
 
-        @events.unknown_error self, e, "Read"
-
+        @events.unknown_error e, nil, "Read"
       ensure
         buffer.reset
 
@@ -543,7 +447,7 @@ module Puma
           Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
           # Already closed
         rescue StandardError => e
-          @events.unknown_error self, e, "Client"
+          @events.unknown_error e, nil, "Client"
         end
       end
     end
@@ -579,7 +483,7 @@ module Puma
 
       env[PATH_INFO] = env[REQUEST_PATH]
 
-      # From http://www.ietf.org/rfc/rfc3875 :
+      # From https://www.ietf.org/rfc/rfc3875 :
       # "Script authors should be aware that the REMOTE_ADDR and
       # REMOTE_HOST meta-variables (see sections 4.1.8 and 4.1.9)
       # may not identify the ultimate source of the request.
@@ -626,6 +530,8 @@ module Puma
     #
     # Finally, it'll return +true+ on keep-alive connections.
     def handle_request(req, lines)
+      @requests_count +=1
+
       env = req.env
       client = req.io
 
@@ -657,6 +563,7 @@ module Puma
             headers.each_pair do |k, vs|
               if vs.respond_to?(:to_s) && !vs.to_s.empty?
                 vs.to_s.split(NEWLINE).each do |v|
+                  next if possible_header_injection?(v)
                   fast_write client, "#{k}: #{v}\r\n"
                 end
               else
@@ -665,12 +572,44 @@ module Puma
             end
 
             fast_write client, "\r\n".freeze
-          rescue ConnectionError
+          rescue ConnectionError => e
+            @events.debug_error e
             # noop, if we lost the socket we just won't send the early hints
           end
         }
       end
 
+      # Fixup any headers with , in the name to have _ now. We emit
+      # headers with , in them during the parse phase to avoid ambiguity
+      # with the - to _ conversion for critical headers. But here for
+      # compatibility, we'll convert them back. This code is written to
+      # avoid allocation in the common case (ie there are no headers
+      # with , in their names), that's why it has the extra conditionals.
+
+      to_delete = nil
+      to_add = nil
+
+      env.each do |k,v|
+        if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
+          if to_delete
+            to_delete << k
+          else
+            to_delete = [k]
+          end
+
+          unless to_add
+            to_add = {}
+          end
+
+          to_add[k.tr(",", "_")] = v
+        end
+      end
+
+      if to_delete
+        to_delete.each { |k| env.delete(k) }
+        env.merge! to_add
+      end
+
       # A rack extension. If the app writes #call'ables to this
       # array, we will invoke them when the request is done.
       #
@@ -692,17 +631,14 @@ module Puma
             return :async
           end
         rescue ThreadPool::ForceShutdown => e
-          @events.log "Detected force shutdown of a thread, returning 503"
-          @events.unknown_error self, e, "Rack app"
-
-          status = 503
-          headers = {}
-          res_body = ["Request was internally terminated early\n"]
+          @events.unknown_error e, req, "Rack app"
+          @events.log "Detected force shutdown of a thread"
 
+          status, headers, res_body = lowlevel_error(e, env, 503)
         rescue Exception => e
-          @events.unknown_error self, e, "Rack app", env
+          @events.unknown_error e, req, "Rack app"
 
-          status, headers, res_body = lowlevel_error(e, env)
+          status, headers, res_body = lowlevel_error(e, env, 500)
         end
 
         content_length = nil
@@ -717,10 +653,10 @@ module Puma
         line_ending = LINE_END
         colon = COLON
 
-        http_11 = if env[HTTP_VERSION] == HTTP_11
+        http_11 = env[HTTP_VERSION] == HTTP_11
+        if http_11
           allow_chunked = true
           keep_alive = env.fetch(HTTP_CONNECTION, "").downcase != CLOSE
-          include_keepalive_header = false
 
           # An optimization. The most common response is 200, so we can
           # reply with the proper 200 status without having to compute
@@ -734,11 +670,9 @@ module Puma
 
             no_body ||= status < 200 || STATUS_WITH_NO_ENTITY_BODY[status]
           end
-          true
         else
           allow_chunked = false
           keep_alive = env.fetch(HTTP_CONNECTION, "").downcase == KEEP_ALIVE
-          include_keepalive_header = keep_alive
 
           # Same optimization as above for HTTP/1.1
           #
@@ -750,14 +684,18 @@ module Puma
 
             no_body ||= status < 200 || STATUS_WITH_NO_ENTITY_BODY[status]
           end
-          false
         end
 
+        # regardless of what the client wants, we always close the connection
+        # if running without request queueing
+        keep_alive &&= @queue_requests
+
         response_hijack = nil
 
         headers.each do |k, vs|
           case k.downcase
           when CONTENT_LENGTH2
+            next if possible_header_injection?(vs)
             content_length = vs
             next
           when TRANSFER_ENCODING
@@ -770,6 +708,7 @@ module Puma
 
           if vs.respond_to?(:to_s) && !vs.to_s.empty?
             vs.to_s.split(NEWLINE).each do |v|
+              next if possible_header_injection?(v)
               lines.append k, colon, v, line_ending
             end
           else
@@ -777,10 +716,15 @@ module Puma
           end
         end
 
-        if include_keepalive_header
-          lines << CONNECTION_KEEP_ALIVE
-        elsif http_11 && !keep_alive
-          lines << CONNECTION_CLOSE
+        # HTTP/1.1 & 1.0 assume different defaults:
+        # - HTTP 1.0 assumes the connection will be closed if not specified
+        # - HTTP 1.1 assumes the connection will be kept alive if not specified.
+        # Only set the header if we're doing something which is not the default
+        # for this protocol version
+        if http_11
+          lines << CONNECTION_CLOSE if !keep_alive
+        else
+          lines << CONNECTION_KEEP_ALIVE if keep_alive
         end
 
         if no_body
@@ -907,19 +851,21 @@ module Puma
 
     # A fallback rack response if +@app+ raises as exception.
     #
-    def lowlevel_error(e, env)
+    def lowlevel_error(e, env, status=500)
       if handler = @options[:lowlevel_error_handler]
         if handler.arity == 1
           return handler.call(e)
-        else
+        elsif handler.arity == 2
           return handler.call(e, env)
+        else
+          return handler.call(e, env, status)
         end
       end
 
       if @leak_stack_on_error
-        [500, {}, ["Puma caught this error: #{e.message} (#{e.class})\n#{e.backtrace.join("\n")}"]]
+        [status, {}, ["Puma caught this error: #{e.message} (#{e.class})\n#{e.backtrace.join("\n")}"]]
       else
-        [500, {}, ["An unhandled lowlevel error occurred. The application logs may have details.\n"]]
+        [status, {}, ["An unhandled lowlevel error occurred. The application logs may have details.\n"]]
       end
     end
 
@@ -977,9 +923,10 @@ module Puma
     end
 
     def notify_safely(message)
+      @check, @notify = Puma::Util.pipe unless @notify
       begin
         @notify << message
-      rescue IOError
+      rescue IOError, NoMethodError, Errno::EPIPE
          # The server, in another thread, is shutting down
         Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
       rescue RuntimeError => e
@@ -1006,8 +953,9 @@ module Puma
       @thread.join if @thread && sync
     end
 
-    def begin_restart
+    def begin_restart(sync=false)
       notify_safely(RESTART_COMMAND)
+      @thread.join if @thread && sync
     end
 
     def fast_write(io, str)
@@ -1040,5 +988,20 @@ module Puma
     def shutting_down?
       @status == :stop || @status == :restart
     end
+
+    def possible_header_injection?(header_value)
+      HTTP_INJECTION_REGEX =~ header_value.to_s
+    end
+    private :possible_header_injection?
+
+    # List of methods invoked by #stats.
+    # @version 5.0.0
+    STAT_METHODS = [:backlog, :running, :pool_capacity, :max_threads, :requests_count].freeze
+
+    # Returns a hash of stats about the running server for reporting purposes.
+    # @version 5.0.0
+    def stats
+      STAT_METHODS.map {|name| [name, send(name) || 0]}.to_h
+    end
   end
 end