puma 5.6.7 → 5.6.8

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puma might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1f1995d9f43f5297e945ba772d6fa72f814ef2878a6c819ab16774cfab9cf73e
4
- data.tar.gz: f19f67fa86baadcfd6597212ccf50ca1c8dd7879d9920a7a7cf19839a0c4ede4
3
+ metadata.gz: cc34dc2b7094b86d3eec5100455de02cdcfb14a2e382059565e06e512d5c40ac
4
+ data.tar.gz: 10080424606d3a4613f1b27b33199a048711da57e4b45a55f7e997346c64c419
5
5
  SHA512:
6
- metadata.gz: 335b387a7b47b246c3970cbd98556053627e2ef16b00d738a26ac8b67db8847f43b96ebfaddc695ea101a8c9aa9b8189e97b728aaf2596f74e4bbd32d30476f4
7
- data.tar.gz: 02e6d936b3118718c2e9023b8ac512c82ddfed052ccdae9a64965a9d994589ff8f98cdcdad15e6b5c01bbc0bd0cc3ddf203afdb1c7be3ec9c81c26ee2e9479a2
6
+ metadata.gz: 18da16eff3311151ff29f868f07762d509541b1302dd6ff80bf323bb6fdd73da9d8bc32983a37b71e439faf4753e8110bdafb8f444df205b62f742376c980147
7
+ data.tar.gz: 89968813be0e066fc4de68dc439827d621d2d1803c58c64ee2df78f4d9baa4785fc7865d655990564ff52d9cd64ebc8d9dbc4be048334e0f8db954d83efaeef1
data/History.md CHANGED
@@ -1,6 +1,11 @@
1
+ ## 5.6.8 / 2023-01-08
2
+
3
+ * Security
4
+ * Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
5
+
1
6
  ## 5.6.7 / 2023-08-18
2
7
 
3
- * Security
8
+ * Security
4
9
  * Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields ([GHSA-68xg-gqqm-vgj8](https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8))
5
10
 
6
11
  ## 5.6.6 / 2023-06-21
data/lib/puma/client.rb CHANGED
@@ -48,6 +48,14 @@ module Puma
48
48
  CHUNK_VALID_ENDING = Const::LINE_END
49
49
  CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
50
50
 
51
+ # The maximum number of bytes we'll buffer looking for a valid
52
+ # chunk header.
53
+ MAX_CHUNK_HEADER_SIZE = 4096
54
+
55
+ # The maximum amount of excess data the client sends
56
+ # using chunk size extensions before we abort the connection.
57
+ MAX_CHUNK_EXCESS = 16 * 1024
58
+
51
59
  # Content-Length header value validation
52
60
  CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
53
61
 
@@ -460,6 +468,7 @@ module Puma
460
468
  @chunked_body = true
461
469
  @partial_part_left = 0
462
470
  @prev_chunk = ""
471
+ @excess_cr = 0
463
472
 
464
473
  @body = Tempfile.new(Const::PUMA_TMP_BASE)
465
474
  @body.unlink
@@ -541,6 +550,20 @@ module Puma
541
550
  end
542
551
  end
543
552
 
553
+ # Track the excess as a function of the size of the
554
+ # header vs the size of the actual data. Excess can
555
+ # go negative (and is expected to) when the body is
556
+ # significant.
557
+ # The additional of chunk_hex.size and 2 compensates
558
+ # for a client sending 1 byte in a chunked body over
559
+ # a long period of time, making sure that that client
560
+ # isn't accidentally eventually punished.
561
+ @excess_cr += (line.size - len - chunk_hex.size - 2)
562
+
563
+ if @excess_cr >= MAX_CHUNK_EXCESS
564
+ raise HttpParserError, "Maximum chunk excess detected"
565
+ end
566
+
544
567
  len += 2
545
568
 
546
569
  part = io.read(len)
@@ -568,6 +591,10 @@ module Puma
568
591
  @partial_part_left = len - part.size
569
592
  end
570
593
  else
594
+ if @prev_chunk.size + chunk.size >= MAX_CHUNK_HEADER_SIZE
595
+ raise HttpParserError, "maximum size of chunk header exceeded"
596
+ end
597
+
571
598
  @prev_chunk = line
572
599
  return false
573
600
  end
data/lib/puma/const.rb CHANGED
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "5.6.7".freeze
103
+ PUMA_VERSION = VERSION = "5.6.8".freeze
104
104
  CODE_NAME = "Birdie's Version".freeze
105
105
 
106
106
  PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
data/lib/puma/null_io.rb CHANGED
File without changes
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.6.7
4
+ version: 5.6.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - Evan Phoenix
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 1980-01-01 00:00:00.000000000 Z
11
+ date: 2024-01-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nio4r
@@ -141,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
141
141
  - !ruby/object:Gem::Version
142
142
  version: '0'
143
143
  requirements: []
144
- rubygems_version: 3.4.12
144
+ rubygems_version: 3.5.3
145
145
  signing_key:
146
146
  specification_version: 4
147
147
  summary: Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for