puma 5.6.8-java → 5.6.9-java

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6ed72bc95b403e5e588dfd3809f8c48c1fb4577d628e6e5fed467f3a3c3d72bc
4
- data.tar.gz: 7d11eab19b070a31cf61e2582bd9d669be46dc571a16a64751a74401a4f6c36c
3
+ metadata.gz: fb29810749146c699bb6f54fc65d5f8081afe0ae88c23108c20982311256d09c
4
+ data.tar.gz: 4794d718f37f0999f912103f67ee954f0dcbfc8866cfaa084721df0bd19ca602
5
5
  SHA512:
6
- metadata.gz: 6f030945f1d3164c941e45ef216a0374d66e3059d8afa633aa56ae049514b5bbd9970dc9afa3b1e31d6fdca6b0647b0a487abbde204ac0e30f6eeb0d3a2b04ec
7
- data.tar.gz: eb1a6d5e1b97bbcfd85fb1a866d66c35476fc50ada1676066b26830d9a2b11226707d2d7a0dd9b294d41438cdcdd008aa038d4dbd49ae33218f21f41098253a5
6
+ metadata.gz: 22ca906ae08230bf2e620ccfcd1a464e273fef5613b0f6183b970f74a47214197dff74903c1c0f04b90bb148f37ddd8b2c00337e180d8d125b2594a1197e811a
7
+ data.tar.gz: c153bf83b4c371b96aab7e97fbba3ed94296ab547861cfeca213acb2aa580a4f07fc39f8b6946f8eaf77cc30eef0506ba3f255cb44373d61619841c3c0b708ec
data/History.md CHANGED
@@ -1,4 +1,9 @@
1
- ## 5.6.8 / 2023-01-08
1
+ ## 5.6.9 / 2024-09-19
2
+
3
+ * Security
4
+ * Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). ([CVE-2024-45614](https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4)/GHSA-9hf4-67fc-4vf4)
5
+
6
+ ## 5.6.8 / 2024-01-08
2
7
 
3
8
  * Security
4
9
  * Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
@@ -99,6 +99,8 @@ public class Http11 extends RubyObject {
99
99
  int bite = b.get(i) & 0xFF;
100
100
  if(bite == '-') {
101
101
  b.set(i, (byte)'_');
102
+ } else if(bite == '_') {
103
+ b.set(i, (byte)',');
102
104
  } else {
103
105
  b.set(i, (byte)Character.toUpperCase(bite));
104
106
  }
data/lib/puma/const.rb CHANGED
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "5.6.8".freeze
103
+ PUMA_VERSION = VERSION = "5.6.9".freeze
104
104
  CODE_NAME = "Birdie's Version".freeze
105
105
 
106
106
  PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
@@ -244,6 +244,14 @@ module Puma
244
244
  # header values can contain HTAB?
245
245
  ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
246
246
 
247
+ # The keys of headers that should not be convert to underscore
248
+ # normalized versions. These headers are ignored at the request reading layer,
249
+ # but if we normalize them after reading, it's just confusing for the application.
250
+ UNMASKABLE_HEADERS = {
251
+ "HTTP_TRANSFER,ENCODING" => true,
252
+ "HTTP_CONTENT,LENGTH" => true,
253
+ }
254
+
247
255
  # Banned keys of response header
248
256
  BANNED_HEADER_KEY = /\A(rack\.|status\z)/.freeze
249
257
 
Binary file
data/lib/puma/request.rb CHANGED
@@ -318,6 +318,11 @@ module Puma
318
318
  # compatibility, we'll convert them back. This code is written to
319
319
  # avoid allocation in the common case (ie there are no headers
320
320
  # with `,` in their names), that's why it has the extra conditionals.
321
+ #
322
+ # @note If a normalized version of a `,` header already exists, we ignore
323
+ # the `,` version. This prevents clobbering headers managed by proxies
324
+ # but not by clients (Like X-Forwarded-For).
325
+ #
321
326
  # @param env [Hash] see Puma::Client#env, from request, modifies in place
322
327
  # @version 5.0.3
323
328
  #
@@ -326,23 +331,31 @@ module Puma
326
331
  to_add = nil
327
332
 
328
333
  env.each do |k,v|
329
- if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
334
+ if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k)
330
335
  if to_delete
331
336
  to_delete << k
332
337
  else
333
338
  to_delete = [k]
334
339
  end
335
340
 
341
+ new_k = k.tr(",", "_")
342
+ if env.key?(new_k)
343
+ next
344
+ end
345
+
336
346
  unless to_add
337
347
  to_add = {}
338
348
  end
339
349
 
340
- to_add[k.tr(",", "_")] = v
350
+ to_add[new_k] = v
341
351
  end
342
352
  end
343
353
 
344
- if to_delete
354
+ if to_delete # rubocop:disable Style/SafeNavigation
345
355
  to_delete.each { |k| env.delete(k) }
356
+ end
357
+
358
+ if to_add
346
359
  env.merge! to_add
347
360
  end
348
361
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.6.8
4
+ version: 5.6.9
5
5
  platform: java
6
6
  authors:
7
7
  - Evan Phoenix
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-01-08 00:00:00.000000000 Z
11
+ date: 2024-09-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement