puma 4.3.3 → 4.3.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bd20b1ca1b6236f1b1677f9bc40f4ea8f980ae678e1f57e6b20987d2322f7f4a
-  data.tar.gz: bb416036092bb4657a4f30dda5c72dc6a9ff8dda391e41950f7ece18230a4a5f
+  metadata.gz: 0133cf43153c495af4daa489fd6db234a14fb0d7b72201b71260d4d57dfb1211
+  data.tar.gz: a1a369772eaf8e3e0efa2931c4cdfdc1880314540c260d6c01226f4b0fd2a863
 SHA512:
-  metadata.gz: d6ce2871efeed834b717174a744ac45db359efd9969efb51b13a83f260d01def32d25fe3ac91a9a0f99483c054c89f4c40aaef988e2a7b46cb9cb54201200abc
-  data.tar.gz: c55618f49982d8c1a9161a4b8bce15878b75b960c9a28fb49c81d8934336c22023608082ba649414767d67a59436d580a12719660fa8710174dcb59823bb935d
+  metadata.gz: 6dfe3a8aa4e40676eb2c70822dac050c75f9bf9ec5270626e2b282a5971f323b2661d5792a4d24982e236f378a13ddf8408080e18bf7f4957cfd5971a7d8d034
+  data.tar.gz: 95706c08d6b746d82af99474001664b282bf760fbbef14860b5e6897dd4eaedc3f4b49a5da2a1809dcfcf0a23fe5f62baabe5da88c631c8228889c615248fe03

data/History.md

@@ -1,11 +1,23 @@
-## Master
+## 4.3.8 / 2021-05-11
 
-* Features
-  * Your feature goes here (#Github Number)
+* Security
+  * Close keepalive connections after the maximum number of fast inlined requests (#2625)
+
+## 4.3.7 / 2020-11-30
 
 * Bugfixes
-  * Your bugfix goes here (#Github Number)
+  * Backport set CONTENT_LENGTH for chunked requests (Originally: #2287, backport: #2496)
+
+## 4.3.6 / 2020-09-05
+
+* Bugfixes
+  * Explicitly include ctype.h to fix compilation warning and build error on macOS with Xcode 12 (#2304)
+  * Don't require json at boot (#2269)
+  * Set `CONTENT_LENGTH` for chunked requests (#2287)
+
+## 4.3.4/4.3.5 and 3.12.5/3.12.6 / 2020-05-22
 
+Each patchlevel release contains a separate security fix. We recommend simply upgrading to 4.3.5/3.12.6.
 
 ## 4.3.3 and 3.12.4 / 2020-02-28
   * Bugfixes

data/ext/puma_http11/extconf.rb

@@ -1,7 +1,7 @@
 require 'mkmf'
 
 dir_config("puma_http11")
-if RUBY_PLATFORM[/mingw32/]
+if $mingw && RUBY_VERSION >= '2.4'
   append_cflags '-D_FORTIFY_SOURCE=2'
   append_ldflags '-fstack-protector'
   have_library 'ssp'

data/ext/puma_http11/http11_parser.c

@@ -14,12 +14,14 @@
 
 /*
  * capitalizes all lower-case ASCII characters,
- * converts dashes to underscores.
+ * converts dashes to underscores, and underscores to commas.
  */
 static void snake_upcase_char(char *c)
 {
     if (*c >= 'a' && *c <= 'z')
       *c &= ~0x20;
+    else if (*c == '_')
+      *c = ',';
     else if (*c == '-')
       *c = '_';
 }

data/ext/puma_http11/http11_parser.rl

@@ -12,12 +12,14 @@
 
 /*
  * capitalizes all lower-case ASCII characters,
- * converts dashes to underscores.
+ * converts dashes to underscores, and underscores to commas.
  */
 static void snake_upcase_char(char *c)
 {
     if (*c >= 'a' && *c <= 'z')
       *c &= ~0x20;
+    else if (*c == '_')
+      *c = ',';
     else if (*c == '-')
       *c = '_';
 }

data/ext/puma_http11/puma_http11.c

@@ -10,6 +10,7 @@
 #include "ext_help.h"
 #include <assert.h>
 #include <string.h>
+#include <ctype.h>
 #include "http11_parser.h"
 
 #ifndef MANAGED_STRINGS

data/lib/puma/app/status.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'json'
-
 module Puma
   module App
     # Check out {#call}'s source code to see what actions this web application
@@ -19,6 +17,10 @@ module Puma
           return rack_response(403, 'Invalid auth token', 'text/plain')
         end
 
+        if env['PATH_INFO'] =~ /\/(gc-stats|stats|thread-backtraces)$/
+          require 'json'
+        end
+
         case env['PATH_INFO']
         when /\/stop$/
           @cli.stop

data/lib/puma/client.rb

@@ -153,7 +153,7 @@ module Puma
 
       begin
         data = @io.read_nonblock(CHUNK_SIZE)
-      rescue Errno::EAGAIN
+      rescue IO::WaitReadable
         return false
       rescue SystemCallError, IOError, EOFError
         raise ConnectionError, "Connection error detected during read"
@@ -285,8 +285,16 @@ module Puma
 
       te = @env[TRANSFER_ENCODING2]
 
-      if te && CHUNKED.casecmp(te) == 0
-        return setup_chunked_body(body)
+      if te
+        if te.include?(",")
+          te.split(",").each do |part|
+            if CHUNKED.casecmp(part.strip) == 0
+              return setup_chunked_body(body)
+            end
+          end
+        elsif CHUNKED.casecmp(te) == 0
+          return setup_chunked_body(body)
+        end
       end
 
       @chunked_body = false
@@ -343,7 +351,7 @@ module Puma
 
       begin
         chunk = @io.read_nonblock(want)
-      rescue Errno::EAGAIN
+      rescue IO::WaitReadable
         return false
       rescue SystemCallError, IOError
         raise ConnectionError, "Connection error detected during read"
@@ -389,7 +397,10 @@ module Puma
           raise EOFError
         end
 
-        return true if decode_chunk(chunk)
+        if decode_chunk(chunk)
+          @env[CONTENT_LENGTH] = @chunked_content_length
+          return true
+        end
       end
     end
 
@@ -402,19 +413,28 @@ module Puma
       @body.binmode
       @tempfile = @body
 
-      return decode_chunk(body)
+      @chunked_content_length = 0
+
+      if decode_chunk(body)
+        @env[CONTENT_LENGTH] = @chunked_content_length
+        return true
+      end
+    end
+
+    def write_chunk(str)
+      @chunked_content_length += @body.write(str)
     end
 
     def decode_chunk(chunk)
       if @partial_part_left > 0
         if @partial_part_left <= chunk.size
           if @partial_part_left > 2
-            @body << chunk[0..(@partial_part_left-3)] # skip the \r\n
+            write_chunk(chunk[0..(@partial_part_left-3)]) # skip the \r\n
           end
           chunk = chunk[@partial_part_left..-1]
           @partial_part_left = 0
         else
-          @body << chunk if @partial_part_left > 2 # don't include the last \r\n
+          write_chunk(chunk) if @partial_part_left > 2 # don't include the last \r\n
           @partial_part_left -= chunk.size
           return false
         end
@@ -461,12 +481,12 @@ module Puma
 
           case
           when got == len
-            @body << part[0..-3] # to skip the ending \r\n
+            write_chunk(part[0..-3]) # to skip the ending \r\n
           when got <= len - 2
-            @body << part
+            write_chunk(part)
             @partial_part_left = len - part.size
           when got == len - 1 # edge where we get just \r but not \n
-            @body << part[0..-2]
+            write_chunk(part[0..-2])
             @partial_part_left = len - part.size
           end
         else

data/lib/puma/const.rb

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "4.3.3".freeze
+    PUMA_VERSION = VERSION = "4.3.8".freeze
     CODE_NAME = "Mysterious Traveller".freeze
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
 

data/lib/puma/server.rb

@@ -483,15 +483,20 @@ module Puma
 
             requests += 1
 
-            check_for_more_data = @status == :run
+            # Closing keepalive sockets after they've made a reasonable
+            # number of requests allows Puma to service many connections
+            # fairly, even when the number of concurrent connections exceeds
+            # the size of the threadpool. It also allows cluster mode Pumas
+            # to keep load evenly distributed across workers, because clients
+            # are randomly assigned a new worker when opening a new connection.
+            #
+            # Previously, Puma would kick connections in this conditional back
+            # to the reactor. However, because this causes the todo set to increase
+            # in size, the wait_until_full mutex would never unlock, leaving
+            # any additional connections unserviced.
+            break if requests >= MAX_FAST_INLINE
 
-            if requests >= MAX_FAST_INLINE
-              # This will mean that reset will only try to use the data it already
-              # has buffered and won't try to read more data. What this means is that
-              # every client, independent of their request speed, gets treated like a slow
-              # one once every MAX_FAST_INLINE requests.
-              check_for_more_data = false
-            end
+            check_for_more_data = @status == :run
 
             unless client.reset(check_for_more_data)
               close_socket = false
@@ -672,6 +677,37 @@ module Puma
         }
       end
 
+      # Fixup any headers with , in the name to have _ now. We emit
+      # headers with , in them during the parse phase to avoid ambiguity
+      # with the - to _ conversion for critical headers. But here for
+      # compatibility, we'll convert them back. This code is written to
+      # avoid allocation in the common case (ie there are no headers
+      # with , in their names), that's why it has the extra conditionals.
+
+      to_delete = nil
+      to_add = nil
+
+      env.each do |k,v|
+        if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
+          if to_delete
+            to_delete << k
+          else
+            to_delete = [k]
+          end
+
+          unless to_add
+            to_add = {}
+          end
+
+          to_add[k.tr(",", "_")] = v
+        end
+      end
+
+      if to_delete
+        to_delete.each { |k| env.delete(k) }
+        env.merge! to_add
+      end
+
       # A rack extension. If the app writes #call'ables to this
       # array, we will invoke them when the request is done.
       #

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 4.3.3
+  version: 4.3.8
 platform: ruby
 authors:
 - Evan Phoenix
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-02-28 00:00:00.000000000 Z
+date: 2021-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nio4r
@@ -121,7 +121,7 @@ licenses:
 metadata:
   msys2_mingw_dependencies: openssl
   changelog_uri: https://github.com/puma/puma/blob/master/History.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -136,8 +136,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for
   Ruby/Rack applications