puma 5.6.7-java → 5.6.9-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/History.md +11 -1
- data/ext/puma_http11/org/jruby/puma/Http11.java +2 -0
- data/lib/puma/client.rb +27 -0
- data/lib/puma/const.rb +9 -1
- data/lib/puma/null_io.rb +0 -0
- data/lib/puma/puma_http11.jar +0 -0
- data/lib/puma/request.rb +16 -3
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fb29810749146c699bb6f54fc65d5f8081afe0ae88c23108c20982311256d09c
|
|
4
|
+
data.tar.gz: 4794d718f37f0999f912103f67ee954f0dcbfc8866cfaa084721df0bd19ca602
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 22ca906ae08230bf2e620ccfcd1a464e273fef5613b0f6183b970f74a47214197dff74903c1c0f04b90bb148f37ddd8b2c00337e180d8d125b2594a1197e811a
|
|
7
|
+
data.tar.gz: c153bf83b4c371b96aab7e97fbba3ed94296ab547861cfeca213acb2aa580a4f07fc39f8b6946f8eaf77cc30eef0506ba3f255cb44373d61619841c3c0b708ec
|
data/History.md
CHANGED
|
@@ -1,6 +1,16 @@
|
|
|
1
|
+
## 5.6.9 / 2024-09-19
|
|
2
|
+
|
|
3
|
+
* Security
|
|
4
|
+
* Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). ([CVE-2024-45614](https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4)/GHSA-9hf4-67fc-4vf4)
|
|
5
|
+
|
|
6
|
+
## 5.6.8 / 2024-01-08
|
|
7
|
+
|
|
8
|
+
* Security
|
|
9
|
+
* Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
|
|
10
|
+
|
|
1
11
|
## 5.6.7 / 2023-08-18
|
|
2
12
|
|
|
3
|
-
* Security
|
|
13
|
+
* Security
|
|
4
14
|
* Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields ([GHSA-68xg-gqqm-vgj8](https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8))
|
|
5
15
|
|
|
6
16
|
## 5.6.6 / 2023-06-21
|
data/lib/puma/client.rb
CHANGED
|
@@ -48,6 +48,14 @@ module Puma
|
|
|
48
48
|
CHUNK_VALID_ENDING = Const::LINE_END
|
|
49
49
|
CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
|
|
50
50
|
|
|
51
|
+
# The maximum number of bytes we'll buffer looking for a valid
|
|
52
|
+
# chunk header.
|
|
53
|
+
MAX_CHUNK_HEADER_SIZE = 4096
|
|
54
|
+
|
|
55
|
+
# The maximum amount of excess data the client sends
|
|
56
|
+
# using chunk size extensions before we abort the connection.
|
|
57
|
+
MAX_CHUNK_EXCESS = 16 * 1024
|
|
58
|
+
|
|
51
59
|
# Content-Length header value validation
|
|
52
60
|
CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
|
|
53
61
|
|
|
@@ -460,6 +468,7 @@ module Puma
|
|
|
460
468
|
@chunked_body = true
|
|
461
469
|
@partial_part_left = 0
|
|
462
470
|
@prev_chunk = ""
|
|
471
|
+
@excess_cr = 0
|
|
463
472
|
|
|
464
473
|
@body = Tempfile.new(Const::PUMA_TMP_BASE)
|
|
465
474
|
@body.unlink
|
|
@@ -541,6 +550,20 @@ module Puma
|
|
|
541
550
|
end
|
|
542
551
|
end
|
|
543
552
|
|
|
553
|
+
# Track the excess as a function of the size of the
|
|
554
|
+
# header vs the size of the actual data. Excess can
|
|
555
|
+
# go negative (and is expected to) when the body is
|
|
556
|
+
# significant.
|
|
557
|
+
# The additional of chunk_hex.size and 2 compensates
|
|
558
|
+
# for a client sending 1 byte in a chunked body over
|
|
559
|
+
# a long period of time, making sure that that client
|
|
560
|
+
# isn't accidentally eventually punished.
|
|
561
|
+
@excess_cr += (line.size - len - chunk_hex.size - 2)
|
|
562
|
+
|
|
563
|
+
if @excess_cr >= MAX_CHUNK_EXCESS
|
|
564
|
+
raise HttpParserError, "Maximum chunk excess detected"
|
|
565
|
+
end
|
|
566
|
+
|
|
544
567
|
len += 2
|
|
545
568
|
|
|
546
569
|
part = io.read(len)
|
|
@@ -568,6 +591,10 @@ module Puma
|
|
|
568
591
|
@partial_part_left = len - part.size
|
|
569
592
|
end
|
|
570
593
|
else
|
|
594
|
+
if @prev_chunk.size + chunk.size >= MAX_CHUNK_HEADER_SIZE
|
|
595
|
+
raise HttpParserError, "maximum size of chunk header exceeded"
|
|
596
|
+
end
|
|
597
|
+
|
|
571
598
|
@prev_chunk = line
|
|
572
599
|
return false
|
|
573
600
|
end
|
data/lib/puma/const.rb
CHANGED
|
@@ -100,7 +100,7 @@ module Puma
|
|
|
100
100
|
# too taxing on performance.
|
|
101
101
|
module Const
|
|
102
102
|
|
|
103
|
-
PUMA_VERSION = VERSION = "5.6.
|
|
103
|
+
PUMA_VERSION = VERSION = "5.6.9".freeze
|
|
104
104
|
CODE_NAME = "Birdie's Version".freeze
|
|
105
105
|
|
|
106
106
|
PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
|
|
@@ -244,6 +244,14 @@ module Puma
|
|
|
244
244
|
# header values can contain HTAB?
|
|
245
245
|
ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
|
|
246
246
|
|
|
247
|
+
# The keys of headers that should not be convert to underscore
|
|
248
|
+
# normalized versions. These headers are ignored at the request reading layer,
|
|
249
|
+
# but if we normalize them after reading, it's just confusing for the application.
|
|
250
|
+
UNMASKABLE_HEADERS = {
|
|
251
|
+
"HTTP_TRANSFER,ENCODING" => true,
|
|
252
|
+
"HTTP_CONTENT,LENGTH" => true,
|
|
253
|
+
}
|
|
254
|
+
|
|
247
255
|
# Banned keys of response header
|
|
248
256
|
BANNED_HEADER_KEY = /\A(rack\.|status\z)/.freeze
|
|
249
257
|
|
data/lib/puma/null_io.rb
CHANGED
|
File without changes
|
data/lib/puma/puma_http11.jar
CHANGED
|
Binary file
|
data/lib/puma/request.rb
CHANGED
|
@@ -318,6 +318,11 @@ module Puma
|
|
|
318
318
|
# compatibility, we'll convert them back. This code is written to
|
|
319
319
|
# avoid allocation in the common case (ie there are no headers
|
|
320
320
|
# with `,` in their names), that's why it has the extra conditionals.
|
|
321
|
+
#
|
|
322
|
+
# @note If a normalized version of a `,` header already exists, we ignore
|
|
323
|
+
# the `,` version. This prevents clobbering headers managed by proxies
|
|
324
|
+
# but not by clients (Like X-Forwarded-For).
|
|
325
|
+
#
|
|
321
326
|
# @param env [Hash] see Puma::Client#env, from request, modifies in place
|
|
322
327
|
# @version 5.0.3
|
|
323
328
|
#
|
|
@@ -326,23 +331,31 @@ module Puma
|
|
|
326
331
|
to_add = nil
|
|
327
332
|
|
|
328
333
|
env.each do |k,v|
|
|
329
|
-
if k.start_with?("HTTP_")
|
|
334
|
+
if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k)
|
|
330
335
|
if to_delete
|
|
331
336
|
to_delete << k
|
|
332
337
|
else
|
|
333
338
|
to_delete = [k]
|
|
334
339
|
end
|
|
335
340
|
|
|
341
|
+
new_k = k.tr(",", "_")
|
|
342
|
+
if env.key?(new_k)
|
|
343
|
+
next
|
|
344
|
+
end
|
|
345
|
+
|
|
336
346
|
unless to_add
|
|
337
347
|
to_add = {}
|
|
338
348
|
end
|
|
339
349
|
|
|
340
|
-
to_add[
|
|
350
|
+
to_add[new_k] = v
|
|
341
351
|
end
|
|
342
352
|
end
|
|
343
353
|
|
|
344
|
-
if to_delete
|
|
354
|
+
if to_delete # rubocop:disable Style/SafeNavigation
|
|
345
355
|
to_delete.each { |k| env.delete(k) }
|
|
356
|
+
end
|
|
357
|
+
|
|
358
|
+
if to_add
|
|
346
359
|
env.merge! to_add
|
|
347
360
|
end
|
|
348
361
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puma
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 5.6.
|
|
4
|
+
version: 5.6.9
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Evan Phoenix
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-09-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|