puma 6.0.0 → 6.6.0

data/ext/puma_http11/mini_ssl.c

@@ -36,6 +36,12 @@ void raise_file_error(const char* caller, const char *filename) {
   rb_raise(eError, "%s: error in file '%s': %s", caller, filename, ERR_error_string(ERR_get_error(), NULL));
 }
 
+NORETURN(void raise_param_error(const char* caller, const char *param));
+
+void raise_param_error(const char* caller, const char *param) {
+  rb_raise(eError, "%s: error with parameter '%s': %s", caller, param, ERR_error_string(ERR_get_error(), NULL));
+}
+
 void engine_free(void *ptr) {
   ms_conn *conn = ptr;
   ms_cert_buf* cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
@@ -185,6 +191,18 @@ static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
   return preverify_ok;
 }
 
+static int password_callback(char *buf, int size, int rwflag, void *userdata) {
+    const char *password = (const char *) userdata;
+    size_t len = strlen(password);
+
+    if (len > (size_t) size) {
+      return 0;
+    }
+
+    memcpy(buf, password, len);
+    return (int) len;
+}
+
 static VALUE
 sslctx_alloc(VALUE klass) {
   SSL_CTX *ctx;
@@ -211,11 +229,13 @@ VALUE
 sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
   SSL_CTX* ctx;
   int ssl_options;
-  VALUE key, cert, ca, verify_mode, ssl_cipher_filter, no_tlsv1, no_tlsv1_1,
-    verification_flags, session_id_bytes, cert_pem, key_pem;
+  VALUE key, cert, ca, verify_mode, ssl_cipher_filter, ssl_ciphersuites, no_tlsv1, no_tlsv1_1,
+    verification_flags, session_id_bytes, cert_pem, key_pem, key_password_command, key_password;
   BIO *bio;
-  X509 *x509;
+  X509 *x509 = NULL;
   EVP_PKEY *pkey;
+  pem_password_cb *password_cb = NULL;
+  const char *password = NULL;
 #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
   int min;
 #endif
@@ -235,6 +255,8 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
 
   key = rb_funcall(mini_ssl_ctx, rb_intern_const("key"), 0);
 
+  key_password_command = rb_funcall(mini_ssl_ctx, rb_intern_const("key_password_command"), 0);
+
   cert = rb_funcall(mini_ssl_ctx, rb_intern_const("cert"), 0);
 
   ca = rb_funcall(mini_ssl_ctx, rb_intern_const("ca"), 0);
@@ -247,6 +269,8 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
 
   ssl_cipher_filter = rb_funcall(mini_ssl_ctx, rb_intern_const("ssl_cipher_filter"), 0);
 
+  ssl_ciphersuites = rb_funcall(mini_ssl_ctx, rb_intern_const("ssl_ciphersuites"), 0);
+
   no_tlsv1 = rb_funcall(mini_ssl_ctx, rb_intern_const("no_tlsv1"), 0);
 
   no_tlsv1_1 = rb_funcall(mini_ssl_ctx, rb_intern_const("no_tlsv1_1"), 0);
@@ -261,6 +285,18 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
     }
   }
 
+  if (!NIL_P(key_password_command)) {
+      key_password = rb_funcall(mini_ssl_ctx, rb_intern_const("key_password"), 0);
+
+      if (!NIL_P(key_password)) {
+          StringValue(key_password);
+          password_cb = password_callback;
+          password = RSTRING_PTR(key_password);
+          SSL_CTX_set_default_passwd_cb(ctx, password_cb);
+          SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *) password);
+      }
+  }
+
   if (!NIL_P(key)) {
     StringValue(key);
 
@@ -270,22 +306,71 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
   }
 
   if (!NIL_P(cert_pem)) {
+    X509 *ca = NULL;
+    unsigned long err;
+
     bio = BIO_new(BIO_s_mem());
     BIO_puts(bio, RSTRING_PTR(cert_pem));
+
+    /**
+     * Much of this pulled as a simplified version of the `use_certificate_chain_file` method
+     * from openssl's `ssl_rsa.c` file.
+     */
+
+    /* first read the cert as the first item in the pem file */
     x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+    if (NULL == x509) {
+      BIO_free_all(bio);
+      raise_param_error("PEM_read_bio_X509", "cert_pem");
+    }
 
-    if (SSL_CTX_use_certificate(ctx, x509) != 1) {
-      BIO_free(bio);
-      raise_file_error("SSL_CTX_use_certificate", RSTRING_PTR(cert_pem));
+    /* Add the cert to the context */
+    /* 1 is success - otherwise check the error codes */
+    if (1 != SSL_CTX_use_certificate(ctx, x509)) {
+      BIO_free_all(bio);
+      raise_param_error("SSL_CTX_use_certificate", "cert_pem");
+    }
+
+    X509_free(x509); /* no longer need our reference */
+
+    /* Now lets load up the rest of the certificate chain */
+    /* 1 is success 0 is error */
+    if (0 == SSL_CTX_clear_chain_certs(ctx)) {
+      BIO_free_all(bio);
+      raise_param_error("SSL_CTX_clear_chain_certs","cert_pem");
+    }
+
+    while (1) {
+      ca = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+
+      if (NULL == ca) {
+        break;
+      }
+
+      if (0 == SSL_CTX_add0_chain_cert(ctx, ca)) {
+        BIO_free_all(bio);
+        raise_param_error("SSL_CTX_add0_chain_cert","cert_pem");
+      }
+      /* don't free ca - its now owned by the context */
+    }
+
+    /* ca is NULL - so its either the end of the file or an error */
+    err = ERR_peek_last_error();
+
+    /* If its the end of the file - then we are done, in any case free the bio */
+    BIO_free_all(bio);
+
+    if ((ERR_GET_LIB(err) == ERR_LIB_PEM) && (ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+      ERR_clear_error();
+    } else {
+      raise_param_error("PEM_read_bio_X509","cert_pem");
     }
-    X509_free(x509);
-    BIO_free(bio);
   }
 
   if (!NIL_P(key_pem)) {
     bio = BIO_new(BIO_s_mem());
     BIO_puts(bio, RSTRING_PTR(key_pem));
-    pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
+    pkey = PEM_read_bio_PrivateKey(bio, NULL, password_cb, (void *) password);
 
     if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1) {
       BIO_free(bio);
@@ -361,6 +446,14 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
     SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
   }
 
+#if HAVE_SSL_CTX_SET_CIPHERSUITES
+  // Only override OpenSSL default ciphersuites if config option is supplied.
+  if (!NIL_P(ssl_ciphersuites)) {
+    StringValue(ssl_ciphersuites);
+    SSL_CTX_set_ciphersuites(ctx, RSTRING_PTR(ssl_ciphersuites));
+  }
+#endif
+
 #if OPENSSL_VERSION_NUMBER < 0x10002000L
   // Remove this case if OpenSSL 1.0.1 (now EOL) support is no longer needed.
   ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@@ -463,7 +556,7 @@ NORETURN(void raise_error(SSL* ssl, int result));
 
 void raise_error(SSL* ssl, int result) {
   char buf[512];
-  char msg[512];
+  char msg[768];
   const char* err_str;
   int err = errno;
   int mask = 4095;
@@ -721,6 +814,10 @@ void Init_mini_ssl(VALUE puma) {
 
   rb_define_method(eng, "init?", engine_init, 0);
 
+  /* @!attribute [r] peercert
+   * Returns `nil` when `MiniSSL::Context#verify_mode` is set to `VERIFY_NONE`.
+   * @return [String, nil] DER encoded cert
+   */
   rb_define_method(eng, "peercert", engine_peercert, 0);
 
   rb_define_method(eng, "ssl_vers_st", engine_ssl_vers_st, 0);

data/ext/puma_http11/org/jruby/puma/Http11.java

@@ -26,14 +26,14 @@ public class Http11 extends RubyObject {
     public final static String MAX_FIELD_NAME_LENGTH_ERR = "HTTP element FIELD_NAME is longer than the 256 allowed length.";
     public final static int MAX_FIELD_VALUE_LENGTH = 80 * 1024;
     public final static String MAX_FIELD_VALUE_LENGTH_ERR = "HTTP element FIELD_VALUE is longer than the 81920 allowed length.";
-    public final static int MAX_REQUEST_URI_LENGTH = 1024 * 12;
-    public final static String MAX_REQUEST_URI_LENGTH_ERR = "HTTP element REQUEST_URI is longer than the 12288 allowed length.";
+    public final static int MAX_REQUEST_URI_LENGTH = getConstLength("PUMA_REQUEST_URI_MAX_LENGTH", 1024 * 12);
+    public final static String MAX_REQUEST_URI_LENGTH_ERR = "HTTP element REQUEST_URI is longer than the " + MAX_REQUEST_URI_LENGTH + " allowed length.";
     public final static int MAX_FRAGMENT_LENGTH = 1024;
     public final static String MAX_FRAGMENT_LENGTH_ERR = "HTTP element REQUEST_PATH is longer than the 1024 allowed length.";
-    public final static int MAX_REQUEST_PATH_LENGTH = 8192;
-    public final static String MAX_REQUEST_PATH_LENGTH_ERR = "HTTP element REQUEST_PATH is longer than the 8192 allowed length.";
-    public final static int MAX_QUERY_STRING_LENGTH = 1024 * 10;
-    public final static String MAX_QUERY_STRING_LENGTH_ERR = "HTTP element QUERY_STRING is longer than the 10240 allowed length.";
+    public final static int MAX_REQUEST_PATH_LENGTH = getConstLength("PUMA_REQUEST_PATH_MAX_LENGTH", 8192);
+    public final static String MAX_REQUEST_PATH_LENGTH_ERR = "HTTP element REQUEST_PATH is longer than the " + MAX_REQUEST_PATH_LENGTH + " allowed length.";
+    public final static int MAX_QUERY_STRING_LENGTH = getConstLength("PUMA_QUERY_STRING_MAX_LENGTH", 10 * 1024);
+    public final static String MAX_QUERY_STRING_LENGTH_ERR = "HTTP element QUERY_STRING is longer than the " + MAX_QUERY_STRING_LENGTH +" allowed length.";
     public final static int MAX_HEADER_LENGTH = 1024 * (80 + 32);
     public final static String MAX_HEADER_LENGTH_ERR = "HTTP element HEADER is longer than the 114688 allowed length.";
 
@@ -48,6 +48,27 @@ public class Http11 extends RubyObject {
     public static final ByteList QUERY_STRING_BYTELIST = new ByteList(ByteList.plain("QUERY_STRING"));
     public static final ByteList SERVER_PROTOCOL_BYTELIST = new ByteList(ByteList.plain("SERVER_PROTOCOL"));
 
+    public static String getEnvOrProperty(String name) {
+        String envValue = System.getenv(name);
+        return (envValue != null) ? envValue : System.getProperty(name);
+    }
+
+    public static int getConstLength(String name, Integer defaultValue) {
+        String stringValue = getEnvOrProperty(name);
+        if (stringValue == null || stringValue.isEmpty()) return defaultValue;
+
+        try {
+            int value = Integer.parseUnsignedInt(stringValue);
+            if (value <= 0) {
+                throw new NumberFormatException("The number is not positive.");
+            }
+            return value;
+        } catch (NumberFormatException e) {
+            System.err.println(String.format("The value %s for %s is invalid. Using default value %d instead.", stringValue, name, defaultValue));
+            return defaultValue;
+        }
+    }
+
     private static ObjectAllocator ALLOCATOR = new ObjectAllocator() {
         public IRubyObject allocate(Ruby runtime, RubyClass klass) {
             return new Http11(runtime, klass);
@@ -56,7 +77,7 @@ public class Http11 extends RubyObject {
 
     public static void createHttp11(Ruby runtime) {
         RubyModule mPuma = runtime.defineModule("Puma");
-        mPuma.defineClassUnder("HttpParserError",runtime.getClass("IOError"),runtime.getClass("IOError").getAllocator());
+        mPuma.defineClassUnder("HttpParserError",runtime.getClass("StandardError"),runtime.getClass("StandardError").getAllocator());
 
         RubyClass cHttpParser = mPuma.defineClassUnder("HttpParser",runtime.getObject(),ALLOCATOR);
         cHttpParser.defineAnnotatedMethods(Http11.class);
@@ -99,6 +120,8 @@ public class Http11 extends RubyObject {
             int bite = b.get(i) & 0xFF;
             if(bite == '-') {
                 b.set(i, (byte)'_');
+            } else if(bite == '_') {
+                b.set(i, (byte)',');
             } else {
                 b.set(i, (byte)Character.toUpperCase(bite));
             }

data/ext/puma_http11/org/jruby/puma/MiniSSL.java

@@ -47,6 +47,7 @@ import static javax.net.ssl.SSLEngineResult.Status;
 import static javax.net.ssl.SSLEngineResult.HandshakeStatus;
 
 public class MiniSSL extends RubyObject { // MiniSSL::Engine
+  private static final long serialVersionUID = -6903439483039141234L;
   private static ObjectAllocator ALLOCATOR = new ObjectAllocator() {
     public IRubyObject allocate(Ruby runtime, RubyClass klass) {
       return new MiniSSL(runtime, klass);
@@ -500,7 +501,7 @@ public class MiniSSL extends RubyObject { // MiniSSL::Engine
   }
 
   private static RaiseException newError(Ruby runtime, RubyClass errorClass, String message, Throwable cause) {
-    RaiseException ex = new RaiseException(runtime, errorClass, message, true);
+    RaiseException ex = RaiseException.from(runtime, errorClass, message);
     ex.initCause(cause);
     return ex;
   }

data/ext/puma_http11/puma_http11.c

@@ -461,6 +461,9 @@ void Init_mini_ssl(VALUE mod);
 
 void Init_puma_http11(void)
 {
+#ifdef HAVE_RB_EXT_RACTOR_SAFE
+  rb_ext_ractor_safe(true);
+#endif
 
   VALUE mPuma = rb_define_module("Puma");
   VALUE cHttpParser = rb_define_class_under(mPuma, "HttpParser", rb_cObject);
@@ -472,7 +475,7 @@ void Init_puma_http11(void)
   DEF_GLOBAL(server_protocol, "SERVER_PROTOCOL");
   DEF_GLOBAL(request_path, "REQUEST_PATH");
 
-  eHttpParserError = rb_define_class_under(mPuma, "HttpParserError", rb_eIOError);
+  eHttpParserError = rb_define_class_under(mPuma, "HttpParserError", rb_eStandardError);
   rb_global_variable(&eHttpParserError);
 
   rb_define_alloc_func(cHttpParser, HttpParser_alloc);

data/lib/puma/app/status.rb

@@ -80,7 +80,7 @@ module Puma
 
       def authenticate(env)
         return true unless @auth_token
-        env['QUERY_STRING'].to_s.split(/&;/).include?("token=#{@auth_token}")
+        env['QUERY_STRING'].to_s.split(/[&;]/).include? "token=#{@auth_token}"
       end
 
       def rack_response(status, body, content_type='application/json')

data/lib/puma/binder.rb

@@ -19,13 +19,14 @@ module Puma
 
     RACK_VERSION = [1,6].freeze
 
-    def initialize(log_writer, conf = Configuration.new)
+    def initialize(log_writer, conf = Configuration.new, env: ENV)
       @log_writer = log_writer
       @conf = conf
       @listeners = []
       @inherited_fds = {}
       @activated_sockets = {}
       @unix_paths = []
+      @env = env
 
       @proto_env = {
         "rack.version".freeze => RACK_VERSION,
@@ -34,7 +35,7 @@ module Puma
         "rack.multiprocess".freeze => conf.options[:workers] >= 1,
         "rack.run_once".freeze => false,
         RACK_URL_SCHEME => conf.options[:rack_url_scheme],
-        "SCRIPT_NAME".freeze => ENV['SCRIPT_NAME'] || "",
+        "SCRIPT_NAME".freeze => env['SCRIPT_NAME'] || "",
 
         # I'd like to set a default CONTENT_TYPE here but some things
         # depend on their not being a default set and inferring
@@ -48,7 +49,6 @@ module Puma
 
       @envs = {}
       @ios = []
-      localhost_authority
     end
 
     attr_reader :ios
@@ -88,7 +88,7 @@ module Puma
     # @version 5.0.0
     #
     def create_activated_fds(env_hash)
-      @log_writer.debug "ENV['LISTEN_FDS'] #{ENV['LISTEN_FDS'].inspect}  env_hash['LISTEN_PID'] #{env_hash['LISTEN_PID'].inspect}"
+      @log_writer.debug "ENV['LISTEN_FDS'] #{@env['LISTEN_FDS'].inspect}  env_hash['LISTEN_PID'] #{env_hash['LISTEN_PID'].inspect}"
       return [] unless env_hash['LISTEN_FDS'] && env_hash['LISTEN_PID'].to_i == $$
       env_hash['LISTEN_FDS'].to_i.times do |index|
         sock = TCPServer.for_fd(socket_activation_fd(index))
@@ -142,7 +142,14 @@ module Puma
       end
     end
 
+    def before_parse(&block)
+      @before_parse ||= []
+      @before_parse << block if block
+      @before_parse
+    end
+
     def parse(binds, log_writer = nil, log_msg = 'Listening')
+      before_parse.each(&:call)
       log_writer ||= @log_writer
       binds.each do |str|
         uri = URI.parse str
@@ -158,10 +165,10 @@ module Puma
             ios_len = @ios.length
             params = Util.parse_query uri.query
 
-            opt = params.key?('low_latency') && params['low_latency'] != 'false'
+            low_latency = params.key?('low_latency') && params['low_latency'] != 'false'
             backlog = params.fetch('backlog', 1024).to_i
 
-            io = add_tcp_listener uri.host, uri.port, opt, backlog
+            io = add_tcp_listener uri.host, uri.port, low_latency, backlog
 
             @ios[ios_len..-1].each do |i|
               addr = loc_addr_str i
@@ -184,7 +191,7 @@ module Puma
             io = inherit_unix_listener path, fd
             log_writer.log "* Inherited #{str}"
           elsif sock = @activated_sockets.delete([ :unix, path ]) ||
-              @activated_sockets.delete([ :unix, File.realdirpath(path) ])
+              !abstract && @activated_sockets.delete([ :unix, File.realdirpath(path) ])
             @unix_paths << path unless abstract || File.exist?(path)
             io = inherit_unix_listener path, sock
             log_writer.log "* Activated #{str}"
@@ -251,7 +258,8 @@ module Puma
           else
             ios_len = @ios.length
             backlog = params.fetch('backlog', 1024).to_i
-            io = add_ssl_listener uri.host, uri.port, ctx, optimize_for_latency = true, backlog
+            low_latency = params['low_latency'] != 'false'
+            io = add_ssl_listener uri.host, uri.port, ctx, low_latency, backlog
 
             @ios[ios_len..-1].each do |i|
               addr = loc_addr_str i
@@ -330,7 +338,7 @@ module Puma
         return
       end
 
-      host = host[1..-2] if host and host[0..0] == '['
+      host = host[1..-2] if host&.start_with? '['
       tcp_server = TCPServer.new(host, port)
 
       if optimize_for_latency
@@ -364,7 +372,7 @@ module Puma
         return
       end
 
-      host = host[1..-2] if host[0..0] == '['
+      host = host[1..-2] if host&.start_with? '['
       s = TCPServer.new(host, port)
       if optimize_for_latency
         s.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
@@ -450,11 +458,14 @@ module Puma
 
     def close_listeners
       @listeners.each do |l, io|
-        io.close unless io.closed?
-        uri = URI.parse l
-        next unless uri.scheme == 'unix'
-        unix_path = "#{uri.host}#{uri.path}"
-        File.unlink unix_path if @unix_paths.include?(unix_path) && File.exist?(unix_path)
+        begin
+          io.close unless io.closed?
+          uri = URI.parse l
+          next unless uri.scheme == 'unix'
+          unix_path = "#{uri.host}#{uri.path}"
+          File.unlink unix_path if @unix_paths.include?(unix_path) && File.exist?(unix_path)
+        rescue Errno::EBADF
+        end
       end
     end
 

data/lib/puma/cli.rb

@@ -24,7 +24,7 @@ module Puma
     # Create a new CLI object using +argv+ as the command line
     # arguments.
     #
-    def initialize(argv, log_writer = LogWriter.stdio, events = Events.new)
+    def initialize(argv, log_writer = LogWriter.stdio, events = Events.new, env: ENV)
       @debug = false
       @argv = argv.dup
       @log_writer = log_writer
@@ -39,7 +39,7 @@ module Puma
       @control_url = nil
       @control_options = {}
 
-      setup_options
+      setup_options env
 
       begin
         @parser.parse! @argv
@@ -63,7 +63,7 @@ module Puma
         end
       end
 
-      @launcher = Puma::Launcher.new(@conf, :log_writer => @log_writer, :events => @events, :argv => argv)
+      @launcher = Puma::Launcher.new(@conf, env: ENV, log_writer: @log_writer, events: @events, argv: argv)
     end
 
     attr_reader :launcher
@@ -92,8 +92,8 @@ module Puma
     # Build the OptionParser object to handle the available options.
     #
 
-    def setup_options
-      @conf = Configuration.new do |user_config, file_config|
+    def setup_options(env = ENV)
+      @conf = Configuration.new({}, {events: @events}, env) do |user_config, file_config|
         @parser = OptionParser.new do |o|
           o.on "-b", "--bind URI", "URI to bind to (tcp://, unix://, ssl://)" do |arg|
             user_config.bind arg
@@ -144,6 +144,10 @@ module Puma
             $LOAD_PATH.unshift(*arg.split(':'))
           end
 
+          o.on "--idle-timeout SECONDS", "Number of seconds until the next request before automatic shutdown" do |arg|
+            user_config.idle_timeout arg
+          end
+
           o.on "-p", "--port PORT", "Define the TCP port to bind to",
             "Use -b for more advanced options" do |arg|
             user_config.bind "tcp://#{Configuration::DEFAULTS[:tcp_host]}:#{arg}"
@@ -153,6 +157,10 @@ module Puma
             user_config.pidfile arg
           end
 
+          o.on "--plugin PLUGIN", "Load the given PLUGIN. Can be used multiple times to load multiple plugins." do |arg|
+            user_config.plugin arg
+          end
+
           o.on "--preload", "Preload the app. Cluster mode only" do
             user_config.preload_app!
           end