puma 5.6.5 → 5.6.7

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puma might be problematic. Click here for more details.

Files changed (79) hide show
  1. checksums.yaml +4 -4
  2. data/History.md +14 -1
  3. data/LICENSE +0 -0
  4. data/README.md +0 -0
  5. data/bin/puma-wild +0 -0
  6. data/docs/architecture.md +0 -0
  7. data/docs/compile_options.md +0 -0
  8. data/docs/deployment.md +0 -0
  9. data/docs/fork_worker.md +0 -0
  10. data/docs/images/puma-connection-flow-no-reactor.png +0 -0
  11. data/docs/images/puma-connection-flow.png +0 -0
  12. data/docs/images/puma-general-arch.png +0 -0
  13. data/docs/jungle/README.md +0 -0
  14. data/docs/jungle/rc.d/README.md +0 -0
  15. data/docs/jungle/rc.d/puma.conf +0 -0
  16. data/docs/kubernetes.md +0 -0
  17. data/docs/nginx.md +0 -0
  18. data/docs/plugins.md +0 -0
  19. data/docs/rails_dev_mode.md +0 -0
  20. data/docs/restart.md +0 -0
  21. data/docs/signals.md +0 -0
  22. data/docs/stats.md +0 -0
  23. data/docs/systemd.md +0 -0
  24. data/ext/puma_http11/PumaHttp11Service.java +0 -0
  25. data/ext/puma_http11/ext_help.h +0 -0
  26. data/ext/puma_http11/extconf.rb +0 -0
  27. data/ext/puma_http11/http11_parser.c +0 -0
  28. data/ext/puma_http11/http11_parser.h +0 -0
  29. data/ext/puma_http11/http11_parser.java.rl +0 -0
  30. data/ext/puma_http11/http11_parser.rl +0 -0
  31. data/ext/puma_http11/http11_parser_common.rl +0 -0
  32. data/ext/puma_http11/mini_ssl.c +0 -0
  33. data/ext/puma_http11/no_ssl/PumaHttp11Service.java +0 -0
  34. data/ext/puma_http11/org/jruby/puma/Http11.java +0 -0
  35. data/ext/puma_http11/org/jruby/puma/Http11Parser.java +0 -0
  36. data/ext/puma_http11/org/jruby/puma/MiniSSL.java +0 -0
  37. data/ext/puma_http11/puma_http11.c +0 -0
  38. data/lib/puma/app/status.rb +0 -0
  39. data/lib/puma/binder.rb +0 -0
  40. data/lib/puma/cli.rb +0 -0
  41. data/lib/puma/client.rb +15 -8
  42. data/lib/puma/cluster/worker.rb +0 -0
  43. data/lib/puma/cluster/worker_handle.rb +0 -0
  44. data/lib/puma/cluster.rb +0 -0
  45. data/lib/puma/commonlogger.rb +0 -0
  46. data/lib/puma/configuration.rb +0 -0
  47. data/lib/puma/const.rb +1 -1
  48. data/lib/puma/control_cli.rb +0 -0
  49. data/lib/puma/detect.rb +0 -0
  50. data/lib/puma/dsl.rb +0 -0
  51. data/lib/puma/error_logger.rb +0 -0
  52. data/lib/puma/events.rb +0 -0
  53. data/lib/puma/io_buffer.rb +0 -0
  54. data/lib/puma/jruby_restart.rb +0 -0
  55. data/lib/puma/json_serialization.rb +0 -0
  56. data/lib/puma/launcher.rb +0 -0
  57. data/lib/puma/minissl/context_builder.rb +0 -0
  58. data/lib/puma/minissl.rb +0 -0
  59. data/lib/puma/plugin/tmp_restart.rb +0 -0
  60. data/lib/puma/plugin.rb +0 -0
  61. data/lib/puma/queue_close.rb +0 -0
  62. data/lib/puma/rack/builder.rb +0 -0
  63. data/lib/puma/rack/urlmap.rb +0 -0
  64. data/lib/puma/rack_default.rb +0 -0
  65. data/lib/puma/reactor.rb +0 -0
  66. data/lib/puma/request.rb +0 -0
  67. data/lib/puma/runner.rb +0 -0
  68. data/lib/puma/server.rb +0 -0
  69. data/lib/puma/single.rb +0 -0
  70. data/lib/puma/state_file.rb +0 -0
  71. data/lib/puma/systemd.rb +0 -0
  72. data/lib/puma/thread_pool.rb +0 -0
  73. data/lib/puma/util.rb +0 -0
  74. data/lib/puma.rb +5 -3
  75. data/lib/rack/handler/puma.rb +0 -0
  76. data/lib/rack/version_restriction.rb +15 -0
  77. data/tools/Dockerfile +0 -0
  78. data/tools/trickletest.rb +0 -0
  79. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7be1244aa7c9d74f0021e1763e05b7220ceb3630b41ef7cf2205b71d5f5cf494
4
- data.tar.gz: 802a80a1437d272cfbd101be2fa5370860fd3745b17996661db5eaa47b98b0e1
3
+ metadata.gz: 1f1995d9f43f5297e945ba772d6fa72f814ef2878a6c819ab16774cfab9cf73e
4
+ data.tar.gz: f19f67fa86baadcfd6597212ccf50ca1c8dd7879d9920a7a7cf19839a0c4ede4
5
5
  SHA512:
6
- metadata.gz: f99a9be986d9c7d617b7dbbdae9072e183b7dc957df74f353b110223f1194350a4d87614869aaaae133c737c2ddb12633989850adee14c97e088db830a6e5754
7
- data.tar.gz: 684325223794be8efc7adf39c7eba75bb326bd3646a15aca28ebe92e83b5c836706ca37aeb6c5ec14bb4c9fcdb74ceb8c3b6d146ec862fb5008337c5430b66cc
6
+ metadata.gz: 335b387a7b47b246c3970cbd98556053627e2ef16b00d738a26ac8b67db8847f43b96ebfaddc695ea101a8c9aa9b8189e97b728aaf2596f74e4bbd32d30476f4
7
+ data.tar.gz: 02e6d936b3118718c2e9023b8ac512c82ddfed052ccdae9a64965a9d994589ff8f98cdcdad15e6b5c01bbc0bd0cc3ddf203afdb1c7be3ec9c81c26ee2e9479a2
data/History.md CHANGED
@@ -1,8 +1,20 @@
1
+ ## 5.6.7 / 2023-08-18
2
+
3
+ * Security
4
+ * Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields ([GHSA-68xg-gqqm-vgj8](https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8))
5
+
6
+ ## 5.6.6 / 2023-06-21
7
+
8
+ * Bugfix
9
+ * Allow Puma to be loaded with Rack 3 ([#3166])
10
+
1
11
  ## 5.6.5 / 2022-08-23
2
12
 
13
+ * Feature
14
+ * Puma::ControlCLI - allow refork command to be sent as a request ([#2868], [#2866])
15
+
3
16
  * Bugfixes
4
17
  * NullIO#closed should return false ([#2883])
5
- * Puma::ControlCLI - allow refork command to be sent as a request ([#2868], [#2866])
6
18
  * [jruby] Fix TLS verification hang ([#2890], [#2729])
7
19
  * extconf.rb - don't use pkg_config('openssl') if '--with-openssl-dir' is used ([#2885], [#2839])
8
20
  * MiniSSL - detect SSL_CTX_set_dh_auto ([#2864], [#2863])
@@ -1861,6 +1873,7 @@ be added back in a future date when a java Puma::MiniSSL is added.
1861
1873
  * Bugfixes
1862
1874
  * Your bugfix goes here <Most recent on the top, like GitHub> (#Github Number)
1863
1875
 
1876
+ [#3166]:https://github.com/puma/puma/issues/3166 "Issue by @JoeDupuis, merged 2023-06-08"
1864
1877
  [#2883]:https://github.com/puma/puma/pull/2883 "PR by @MSP-Greg, merged 2022-06-02"
1865
1878
  [#2868]:https://github.com/puma/puma/pull/2868 "PR by @MSP-Greg, merged 2022-06-02"
1866
1879
  [#2866]:https://github.com/puma/puma/issues/2866 "Issue by @slondr, closed 2022-06-02"
data/LICENSE CHANGED
File without changes
data/README.md CHANGED
File without changes
data/bin/puma-wild CHANGED
File without changes
data/docs/architecture.md CHANGED
File without changes
File without changes
data/docs/deployment.md CHANGED
File without changes
data/docs/fork_worker.md CHANGED
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
data/docs/kubernetes.md CHANGED
File without changes
data/docs/nginx.md CHANGED
File without changes
data/docs/plugins.md CHANGED
File without changes
File without changes
data/docs/restart.md CHANGED
File without changes
data/docs/signals.md CHANGED
File without changes
data/docs/stats.md CHANGED
File without changes
data/docs/systemd.md CHANGED
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
File without changes
data/lib/puma/binder.rb CHANGED
File without changes
data/lib/puma/cli.rb CHANGED
File without changes
data/lib/puma/client.rb CHANGED
@@ -45,7 +45,8 @@ module Puma
45
45
 
46
46
  # chunked body validation
47
47
  CHUNK_SIZE_INVALID = /[^\h]/.freeze
48
- CHUNK_VALID_ENDING = "\r\n".freeze
48
+ CHUNK_VALID_ENDING = Const::LINE_END
49
+ CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
49
50
 
50
51
  # Content-Length header value validation
51
52
  CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
@@ -347,8 +348,8 @@ module Puma
347
348
  cl = @env[CONTENT_LENGTH]
348
349
 
349
350
  if cl
350
- # cannot contain characters that are not \d
351
- if cl =~ CONTENT_LENGTH_VALUE_INVALID
351
+ # cannot contain characters that are not \d, or be empty
352
+ if cl =~ CONTENT_LENGTH_VALUE_INVALID || cl.empty?
352
353
  raise HttpParserError, "Invalid Content-Length: #{cl.inspect}"
353
354
  end
354
355
  else
@@ -509,7 +510,7 @@ module Puma
509
510
 
510
511
  while !io.eof?
511
512
  line = io.gets
512
- if line.end_with?("\r\n")
513
+ if line.end_with?(CHUNK_VALID_ENDING)
513
514
  # Puma doesn't process chunk extensions, but should parse if they're
514
515
  # present, which is the reason for the semicolon regex
515
516
  chunk_hex = line.strip[/\A[^;]+/]
@@ -521,13 +522,19 @@ module Puma
521
522
  @in_last_chunk = true
522
523
  @body.rewind
523
524
  rest = io.read
524
- last_crlf_size = "\r\n".bytesize
525
- if rest.bytesize < last_crlf_size
525
+ if rest.bytesize < CHUNK_VALID_ENDING_SIZE
526
526
  @buffer = nil
527
- @partial_part_left = last_crlf_size - rest.bytesize
527
+ @partial_part_left = CHUNK_VALID_ENDING_SIZE - rest.bytesize
528
528
  return false
529
529
  else
530
- @buffer = rest[last_crlf_size..-1]
530
+ # if the next character is a CRLF, set buffer to everything after that CRLF
531
+ start_of_rest = if rest.start_with?(CHUNK_VALID_ENDING)
532
+ CHUNK_VALID_ENDING_SIZE
533
+ else # we have started a trailer section, which we do not support. skip it!
534
+ rest.index(CHUNK_VALID_ENDING*2) + CHUNK_VALID_ENDING_SIZE*2
535
+ end
536
+
537
+ @buffer = rest[start_of_rest..-1]
531
538
  @buffer = nil if @buffer.empty?
532
539
  set_ready
533
540
  return true
File without changes
File without changes
data/lib/puma/cluster.rb CHANGED
File without changes
File without changes
File without changes
data/lib/puma/const.rb CHANGED
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "5.6.5".freeze
103
+ PUMA_VERSION = VERSION = "5.6.7".freeze
104
104
  CODE_NAME = "Birdie's Version".freeze
105
105
 
106
106
  PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
File without changes
data/lib/puma/detect.rb CHANGED
File without changes
data/lib/puma/dsl.rb CHANGED
File without changes
File without changes
data/lib/puma/events.rb CHANGED
File without changes
File without changes
File without changes
File without changes
data/lib/puma/launcher.rb CHANGED
File without changes
File without changes
data/lib/puma/minissl.rb CHANGED
File without changes
File without changes
data/lib/puma/plugin.rb CHANGED
File without changes
File without changes
File without changes
File without changes
File without changes
data/lib/puma/reactor.rb CHANGED
File without changes
data/lib/puma/request.rb CHANGED
File without changes
data/lib/puma/runner.rb CHANGED
File without changes
data/lib/puma/server.rb CHANGED
File without changes
data/lib/puma/single.rb CHANGED
File without changes
File without changes
data/lib/puma/systemd.rb CHANGED
File without changes
File without changes
data/lib/puma/util.rb CHANGED
File without changes
data/lib/puma.rb CHANGED
@@ -10,9 +10,11 @@ require 'stringio'
10
10
 
11
11
  require 'thread'
12
12
 
13
+ # extension files should not be loaded with `require_relative`
13
14
  require 'puma/puma_http11'
14
- require 'puma/detect'
15
- require 'puma/json_serialization'
15
+ require_relative 'puma/detect'
16
+ require_relative 'puma/json_serialization'
17
+ require_relative 'rack/version_restriction'
16
18
 
17
19
  module Puma
18
20
  autoload :Const, 'puma/const'
@@ -23,7 +25,7 @@ module Puma
23
25
  # not in minissl.rb
24
26
  HAS_SSL = const_defined?(:MiniSSL, false) && MiniSSL.const_defined?(:Engine, false)
25
27
 
26
- HAS_UNIX_SOCKET = Object.const_defined? :UNIXSocket
28
+ HAS_UNIX_SOCKET = Object.const_defined?(:UNIXSocket) && !IS_WINDOWS
27
29
 
28
30
  if HAS_SSL
29
31
  require 'puma/minissl'
File without changes
@@ -0,0 +1,15 @@
1
+ begin
2
+ begin
3
+ # rack/version exists in Rack 2.2.0 and later, compatible with Ruby 2.3 and later
4
+ # we prefer to not load Rack
5
+ require 'rack/version'
6
+ rescue LoadError
7
+ require 'rack'
8
+ end
9
+
10
+ # Rack.release is needed for Rack v1, Rack::RELEASE was added in v2
11
+ if Gem::Version.new(Rack.release) >= Gem::Version.new("3.0.0")
12
+ raise StandardError.new "Puma 5 is not compatible with Rack 3, please upgrade to Puma 6 or higher."
13
+ end
14
+ rescue LoadError
15
+ end
data/tools/Dockerfile CHANGED
File without changes
data/tools/trickletest.rb CHANGED
File without changes
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.6.5
4
+ version: 5.6.7
5
5
  platform: ruby
6
6
  authors:
7
7
  - Evan Phoenix
@@ -115,6 +115,7 @@ files:
115
115
  - lib/puma/thread_pool.rb
116
116
  - lib/puma/util.rb
117
117
  - lib/rack/handler/puma.rb
118
+ - lib/rack/version_restriction.rb
118
119
  - tools/Dockerfile
119
120
  - tools/trickletest.rb
120
121
  homepage: https://puma.io
@@ -140,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
140
141
  - !ruby/object:Gem::Version
141
142
  version: '0'
142
143
  requirements: []
143
- rubygems_version: 3.2.26
144
+ rubygems_version: 3.4.12
144
145
  signing_key:
145
146
  specification_version: 4
146
147
  summary: Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for