puma 5.6.8-java → 5.6.9-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/History.md +6 -1
  3. data/ext/puma_http11/org/jruby/puma/Http11.java +2 -0
  4. data/lib/puma/const.rb +9 -1
  5. data/lib/puma/puma_http11.jar +0 -0
  6. data/lib/puma/request.rb +16 -3
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6ed72bc95b403e5e588dfd3809f8c48c1fb4577d628e6e5fed467f3a3c3d72bc
4
- data.tar.gz: 7d11eab19b070a31cf61e2582bd9d669be46dc571a16a64751a74401a4f6c36c
3
+ metadata.gz: fb29810749146c699bb6f54fc65d5f8081afe0ae88c23108c20982311256d09c
4
+ data.tar.gz: 4794d718f37f0999f912103f67ee954f0dcbfc8866cfaa084721df0bd19ca602
5
5
  SHA512:
6
- metadata.gz: 6f030945f1d3164c941e45ef216a0374d66e3059d8afa633aa56ae049514b5bbd9970dc9afa3b1e31d6fdca6b0647b0a487abbde204ac0e30f6eeb0d3a2b04ec
7
- data.tar.gz: eb1a6d5e1b97bbcfd85fb1a866d66c35476fc50ada1676066b26830d9a2b11226707d2d7a0dd9b294d41438cdcdd008aa038d4dbd49ae33218f21f41098253a5
6
+ metadata.gz: 22ca906ae08230bf2e620ccfcd1a464e273fef5613b0f6183b970f74a47214197dff74903c1c0f04b90bb148f37ddd8b2c00337e180d8d125b2594a1197e811a
7
+ data.tar.gz: c153bf83b4c371b96aab7e97fbba3ed94296ab547861cfeca213acb2aa580a4f07fc39f8b6946f8eaf77cc30eef0506ba3f255cb44373d61619841c3c0b708ec
data/History.md CHANGED
@@ -1,4 +1,9 @@
1
- ## 5.6.8 / 2023-01-08
1
+ ## 5.6.9 / 2024-09-19
2
+
3
+ * Security
4
+ * Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). ([CVE-2024-45614](https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4)/GHSA-9hf4-67fc-4vf4)
5
+
6
+ ## 5.6.8 / 2024-01-08
2
7
 
3
8
  * Security
4
9
  * Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
data/ext/puma_http11/org/jruby/puma/Http11.java CHANGED
@@ -99,6 +99,8 @@ public class Http11 extends RubyObject {
99
99
  int bite = b.get(i) & 0xFF;
100
100
  if(bite == '-') {
101
101
  b.set(i, (byte)'_');
102
+ } else if(bite == '_') {
103
+ b.set(i, (byte)',');
102
104
  } else {
103
105
  b.set(i, (byte)Character.toUpperCase(bite));
104
106
  }
data/lib/puma/const.rb CHANGED
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "5.6.8".freeze
103
+ PUMA_VERSION = VERSION = "5.6.9".freeze
104
104
  CODE_NAME = "Birdie's Version".freeze
105
105
 
106
106
  PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
@@ -244,6 +244,14 @@ module Puma
244
244
  # header values can contain HTAB?
245
245
  ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
246
246
 
247
+ # The keys of headers that should not be convert to underscore
248
+ # normalized versions. These headers are ignored at the request reading layer,
249
+ # but if we normalize them after reading, it's just confusing for the application.
250
+ UNMASKABLE_HEADERS = {
251
+ "HTTP_TRANSFER,ENCODING" => true,
252
+ "HTTP_CONTENT,LENGTH" => true,
253
+ }
254
+
247
255
  # Banned keys of response header
248
256
  BANNED_HEADER_KEY = /\A(rack\.|status\z)/.freeze
249
257
 
data/lib/puma/puma_http11.jar CHANGED
Binary file
data/lib/puma/request.rb CHANGED
@@ -318,6 +318,11 @@ module Puma
318
318
  # compatibility, we'll convert them back. This code is written to
319
319
  # avoid allocation in the common case (ie there are no headers
320
320
  # with `,` in their names), that's why it has the extra conditionals.
321
+ #
322
+ # @note If a normalized version of a `,` header already exists, we ignore
323
+ # the `,` version. This prevents clobbering headers managed by proxies
324
+ # but not by clients (Like X-Forwarded-For).
325
+ #
321
326
  # @param env [Hash] see Puma::Client#env, from request, modifies in place
322
327
  # @version 5.0.3
323
328
  #
@@ -326,23 +331,31 @@ module Puma
326
331
  to_add = nil
327
332
 
328
333
  env.each do |k,v|
329
- if k.start_with?("HTTP_") and k.include?(",") and k != "HTTP_TRANSFER,ENCODING"
334
+ if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k)
330
335
  if to_delete
331
336
  to_delete << k
332
337
  else
333
338
  to_delete = [k]
334
339
  end
335
340
 
341
+ new_k = k.tr(",", "_")
342
+ if env.key?(new_k)
343
+ next
344
+ end
345
+
336
346
  unless to_add
337
347
  to_add = {}
338
348
  end
339
349
 
340
- to_add[k.tr(",", "_")] = v
350
+ to_add[new_k] = v
341
351
  end
342
352
  end
343
353
 
344
- if to_delete
354
+ if to_delete # rubocop:disable Style/SafeNavigation
345
355
  to_delete.each { |k| env.delete(k) }
356
+ end
357
+
358
+ if to_add
346
359
  env.merge! to_add
347
360
  end
348
361
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.6.8
4
+ version: 5.6.9
5
5
  platform: java
6
6
  authors:
7
7
  - Evan Phoenix
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-01-08 00:00:00.000000000 Z
11
+ date: 2024-09-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement