puma 6.2.2 → 6.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d5bf04e3d05e490359fd54acb971ea4316fbf6b51eec1c4d572359dd985eea92
-  data.tar.gz: a85be9bb75fd16c13600f918fedad71cdd9950293af84464d488ad5adbdc7cbf
+  metadata.gz: dcbde9283993550beb848a4f777bf9d33a1e163f5356cfeeb40be3eede72e7d0
+  data.tar.gz: 5394fdd8307e5a1fd40c7cf560d01565a6a9d69fd0fa0006ff6b28e483e627aa
 SHA512:
-  metadata.gz: db99880324d78555ff6de88b5fd9eb37b5e169b2109c7021ca2a0f6325ce704f56d6ea2155099e7cee2bc71a8db73bf9fd12b97142c461c9e20ecbf4e7821463
-  data.tar.gz: 210d6a0a0cdd3922a792fd5311a4ae95ea6f3f1b04d5bd74daf316a55259f2c0f890b156d17812266ebf31a1a42ac860085f25bf5262a8556d987e4f5d3bc0f1
+  metadata.gz: 473b3047986b69763e01fb3b3f7fc1137070cb041ae235e520216e568860295a3b0ed105e4c52ee1d3aa05353d1b247e0782a1aa7bde840a540200f21d84320b
+  data.tar.gz: 69e625526fcc0b7216a419326e172114ed0ba4c7842722c1f896ed4d2fd559e4b58ea31f95a7ca52d37f11b5930433cfa6faab3f510996a39b1de3d3ff46d2a7

data/History.md

@@ -1,3 +1,26 @@
+## 6.3.1 / 2023-08-18
+
+* Security 
+  * Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields ([GHSA-68xg-gqqm-vgj8](https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8))
+
+## 6.3.0 / 2023-05-31
+
+* Features
+  * Add dsl method `supported_http_methods` ([#3106], [#3014])
+  * Puma error responses no longer have any fingerprints to indicate Puma ([#3161], [#3037])
+  * Support decryption of SSL key ([#3133], [#3132])
+
+* Bugfixes
+  * Don't send 103 early hints response when only invalid headers are used ([#3163])
+  * Handle malformed request path ([#3155], [#3148])
+  * Misc lib file fixes - trapping additional errors, CI helper ([#3129])
+  * Fixup req form data file upload with "r\n" line endings ([#3137])
+  * Restore rack 1.6 compatibility Restore rack 1.6 compatibility ([#3156])
+
+* Refactor
+  * const.rb - Update Puma::HTTP_STATUS_CODES ([#3162])
+  * Clarify Reactor#initialize ([#3151])
+
 ## 6.2.2 / 2023-04-17
 
 * Bugfixes
@@ -22,7 +45,6 @@
   * commonlogger.rb - fix HIJACK time format, use constants, not strings ([#3074])
   * Fixed some edge cases regarding request hijacking ([#3072])
 
-
 ## 6.1.1 / 2023-02-28
 
 * Bugfixes
@@ -1979,6 +2001,20 @@ be added back in a future date when a java Puma::MiniSSL is added.
 * Bugfixes
   * Your bugfix goes here <Most recent on the top, like GitHub> (#Github Number)
 
+[#3106]:https://github.com/puma/puma/pull/3106     "PR by @MSP-Greg, merged 2023-05-29"
+[#3014]:https://github.com/puma/puma/issues/3014   "Issue by @kyledrake, closed 2023-05-29"
+[#3161]:https://github.com/puma/puma/pull/3161     "PR by @MSP-Greg, merged 2023-05-27"
+[#3037]:https://github.com/puma/puma/issues/3037   "Issue by @daisy1754, closed 2023-05-27"
+[#3133]:https://github.com/puma/puma/pull/3133     "PR by @stanhu, merged 2023-04-30"
+[#3132]:https://github.com/puma/puma/issues/3132   "Issue by @stanhu, closed 2023-04-30"
+[#3163]:https://github.com/puma/puma/pull/3163     "PR by @MSP-Greg, merged 2023-05-27"
+[#3155]:https://github.com/puma/puma/pull/3155     "PR by @dentarg, merged 2023-05-14"
+[#3148]:https://github.com/puma/puma/issues/3148   "Issue by @dentarg, closed 2023-05-14"
+[#3129]:https://github.com/puma/puma/pull/3129     "PR by @MSP-Greg, merged 2023-05-02"
+[#3137]:https://github.com/puma/puma/pull/3137     "PR by @MSP-Greg, merged 2023-04-30"
+[#3156]:https://github.com/puma/puma/pull/3156     "PR by @severin, merged 2023-05-16"
+[#3162]:https://github.com/puma/puma/pull/3162     "PR by @MSP-Greg, merged 2023-05-23"
+[#3151]:https://github.com/puma/puma/pull/3151     "PR by @nateberkopec, merged 2023-05-12"
 [#3118]:https://github.com/puma/puma/pull/3118     "PR by @ninoseki, merged 2023-04-01"
 [#3117]:https://github.com/puma/puma/issues/3117   "Issue by @ninoseki, closed 2023-04-01"
 [#3109]:https://github.com/puma/puma/pull/3109     "PR by @ahorek, merged 2023-03-31"
@@ -2089,7 +2125,7 @@ be added back in a future date when a java Puma::MiniSSL is added.
 [#2794]:https://github.com/puma/puma/pull/2794     "PR by @johnnyshields, merged 2022-01-10"
 [#2759]:https://github.com/puma/puma/pull/2759     "PR by @ob-stripe, merged 2021-12-11"
 [#2731]:https://github.com/puma/puma/pull/2731     "PR by @baelter, merged 2021-11-02"
-[#2341]:https://github.com/puma/puma/issues/2341   "Issue by @cjlarose, closed 2021-11-02"
+[#2341]:https://github.com/puma/puma/issues/2341   "Issue by @cjlarose, opened 2020-08-18"
 [#2728]:https://github.com/puma/puma/pull/2728     "PR by @dalibor, merged 2021-10-31"
 [#2733]:https://github.com/puma/puma/pull/2733     "PR by @ob-stripe, merged 2021-12-12"
 [#2807]:https://github.com/puma/puma/pull/2807     "PR by @MSP-Greg, merged 2022-01-25"

data/README.md

@@ -279,6 +279,30 @@ $ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&verification_f
 List of available flags: `USE_CHECK_TIME`, `CRL_CHECK`, `CRL_CHECK_ALL`, `IGNORE_CRITICAL`, `X509_STRICT`, `ALLOW_PROXY_CERTS`, `POLICY_CHECK`, `EXPLICIT_POLICY`, `INHIBIT_ANY`, `INHIBIT_MAP`, `NOTIFY_POLICY`, `EXTENDED_CRL_SUPPORT`, `USE_DELTAS`, `CHECK_SS_SIGNATURE`, `TRUSTED_FIRST`, `SUITEB_128_LOS_ONLY`, `SUITEB_192_LOS`, `SUITEB_128_LOS`, `PARTIAL_CHAIN`, `NO_ALT_CHAINS`, `NO_CHECK_TIME`
 (see https://www.openssl.org/docs/manmaster/man3/X509_VERIFY_PARAM_set_hostflags.html#VERIFICATION-FLAGS).
 
+#### Controlling OpenSSL Password Decryption
+
+To enable runtime decryption of an encrypted SSL key (not available for JRuby), use `key_password_command`:
+
+```
+$ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&key_password_command=/path/to/command.sh'
+```
+
+`key_password_command` must:
+
+1. Be executable by Puma.
+2. Print the decryption password to stdout.
+
+ For example:
+
+```shell
+#!/bin/sh
+
+echo "this is my password"
+```
+
+`key_password_command` can be used with `key` or `key_pem`. If the key
+is not encrypted, the executable will not be called.
+
 ### Control/Status Server
 
 Puma has a built-in status and control app that can be used to query and control Puma.

data/ext/puma_http11/mini_ssl.c

@@ -185,6 +185,18 @@ static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
   return preverify_ok;
 }
 
+static int password_callback(char *buf, int size, int rwflag, void *userdata) {
+    const char *password = (const char *) userdata;
+    size_t len = strlen(password);
+
+    if (len > (size_t) size) {
+      return 0;
+    }
+
+    memcpy(buf, password, len);
+    return (int) len;
+}
+
 static VALUE
 sslctx_alloc(VALUE klass) {
   SSL_CTX *ctx;
@@ -212,10 +224,12 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
   SSL_CTX* ctx;
   int ssl_options;
   VALUE key, cert, ca, verify_mode, ssl_cipher_filter, no_tlsv1, no_tlsv1_1,
-    verification_flags, session_id_bytes, cert_pem, key_pem;
+    verification_flags, session_id_bytes, cert_pem, key_pem, key_password_command, key_password;
   BIO *bio;
   X509 *x509;
   EVP_PKEY *pkey;
+  pem_password_cb *password_cb = NULL;
+  const char *password = NULL;
 #ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
   int min;
 #endif
@@ -235,6 +249,8 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
 
   key = rb_funcall(mini_ssl_ctx, rb_intern_const("key"), 0);
 
+  key_password_command = rb_funcall(mini_ssl_ctx, rb_intern_const("key_password_command"), 0);
+
   cert = rb_funcall(mini_ssl_ctx, rb_intern_const("cert"), 0);
 
   ca = rb_funcall(mini_ssl_ctx, rb_intern_const("ca"), 0);
@@ -261,6 +277,18 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
     }
   }
 
+  if (!NIL_P(key_password_command)) {
+      key_password = rb_funcall(mini_ssl_ctx, rb_intern_const("key_password"), 0);
+
+      if (!NIL_P(key_password)) {
+          StringValue(key_password);
+          password_cb = password_callback;
+          password = RSTRING_PTR(key_password);
+          SSL_CTX_set_default_passwd_cb(ctx, password_cb);
+          SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *) password);
+      }
+  }
+
   if (!NIL_P(key)) {
     StringValue(key);
 
@@ -285,7 +313,7 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
   if (!NIL_P(key_pem)) {
     bio = BIO_new(BIO_s_mem());
     BIO_puts(bio, RSTRING_PTR(key_pem));
-    pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
+    pkey = PEM_read_bio_PrivateKey(bio, NULL, password_cb, (void *) password);
 
     if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1) {
       BIO_free(bio);

data/lib/puma/app/status.rb

@@ -80,7 +80,7 @@ module Puma
 
       def authenticate(env)
         return true unless @auth_token
-        env['QUERY_STRING'].to_s.split(/&;/).include?("token=#{@auth_token}")
+        env['QUERY_STRING'].to_s.split('&;').include? "token=#{@auth_token}"
       end
 
       def rack_response(status, body, content_type='application/json')

data/lib/puma/binder.rb

@@ -48,7 +48,6 @@ module Puma
 
       @envs = {}
       @ios = []
-      localhost_authority
     end
 
     attr_reader :ios
@@ -451,11 +450,14 @@ module Puma
 
     def close_listeners
       @listeners.each do |l, io|
-        io.close unless io.closed?
-        uri = URI.parse l
-        next unless uri.scheme == 'unix'
-        unix_path = "#{uri.host}#{uri.path}"
-        File.unlink unix_path if @unix_paths.include?(unix_path) && File.exist?(unix_path)
+        begin
+          io.close unless io.closed?
+          uri = URI.parse l
+          next unless uri.scheme == 'unix'
+          unix_path = "#{uri.host}#{uri.path}"
+          File.unlink unix_path if @unix_paths.include?(unix_path) && File.exist?(unix_path)
+        rescue Errno::EBADF
+        end
       end
     end
 

data/lib/puma/client.rb

@@ -49,7 +49,8 @@ module Puma
 
     # chunked body validation
     CHUNK_SIZE_INVALID = /[^\h]/.freeze
-    CHUNK_VALID_ENDING = "\r\n".freeze
+    CHUNK_VALID_ENDING = Const::LINE_END
+    CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
 
     # Content-Length header value validation
     CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
@@ -68,7 +69,7 @@ module Puma
       @to_io = io.to_io
       @io_buffer = IOBuffer.new
       @proto_env = env
-      @env = env ? env.dup : nil
+      @env = env&.dup
 
       @parser = HttpParser.new
       @parsed_bytes = 0
@@ -99,7 +100,8 @@ module Puma
 
       @in_last_chunk = false
 
-      @read_buffer = +""
+      # need unfrozen ASCII-8BIT, +'' is UTF-8
+      @read_buffer = String.new # rubocop: disable Performance/UnfreezeString
     end
 
     attr_reader :env, :to_io, :body, :io, :timeout_at, :ready, :hijacked,
@@ -381,8 +383,8 @@ module Puma
       cl = @env[CONTENT_LENGTH]
 
       if cl
-        # cannot contain characters that are not \d
-        if CONTENT_LENGTH_VALUE_INVALID.match? cl
+        # cannot contain characters that are not \d, or be empty
+        if CONTENT_LENGTH_VALUE_INVALID.match?(cl) || cl.empty?
           raise HttpParserError, "Invalid Content-Length: #{cl.inspect}"
         end
       else
@@ -543,7 +545,7 @@ module Puma
 
       while !io.eof?
         line = io.gets
-        if line.end_with?("\r\n")
+        if line.end_with?(CHUNK_VALID_ENDING)
           # Puma doesn't process chunk extensions, but should parse if they're
           # present, which is the reason for the semicolon regex
           chunk_hex = line.strip[/\A[^;]+/]
@@ -555,13 +557,19 @@ module Puma
             @in_last_chunk = true
             @body.rewind
             rest = io.read
-            last_crlf_size = "\r\n".bytesize
-            if rest.bytesize < last_crlf_size
+            if rest.bytesize < CHUNK_VALID_ENDING_SIZE
               @buffer = nil
-              @partial_part_left = last_crlf_size - rest.bytesize
+              @partial_part_left = CHUNK_VALID_ENDING_SIZE - rest.bytesize
               return false
             else
-              @buffer = rest[last_crlf_size..-1]
+              # if the next character is a CRLF, set buffer to everything after that CRLF
+              start_of_rest = if rest.start_with?(CHUNK_VALID_ENDING)
+                CHUNK_VALID_ENDING_SIZE
+              else # we have started a trailer section, which we do not support. skip it!
+                rest.index(CHUNK_VALID_ENDING*2) + CHUNK_VALID_ENDING_SIZE*2
+              end
+
+              @buffer = rest[start_of_rest..-1]
               @buffer = nil if @buffer.empty?
               set_ready
               return true

data/lib/puma/const.rb

@@ -18,6 +18,7 @@ module Puma
     100 => 'Continue',
     101 => 'Switching Protocols',
     102 => 'Processing',
+    103 => 'Early Hints',
     200 => 'OK',
     201 => 'Created',
     202 => 'Accepted',
@@ -49,16 +50,16 @@ module Puma
     410 => 'Gone',
     411 => 'Length Required',
     412 => 'Precondition Failed',
-    413 => 'Payload Too Large',
+    413 => 'Content Too Large',
     414 => 'URI Too Long',
     415 => 'Unsupported Media Type',
     416 => 'Range Not Satisfiable',
     417 => 'Expectation Failed',
-    418 => 'I\'m A Teapot',
     421 => 'Misdirected Request',
-    422 => 'Unprocessable Entity',
+    422 => 'Unprocessable Content',
     423 => 'Locked',
     424 => 'Failed Dependency',
+    425 => 'Too Early',
     426 => 'Upgrade Required',
     428 => 'Precondition Required',
     429 => 'Too Many Requests',
@@ -73,7 +74,7 @@ module Puma
     506 => 'Variant Also Negotiates',
     507 => 'Insufficient Storage',
     508 => 'Loop Detected',
-    510 => 'Not Extended',
+    510 => 'Not Extended (OBSOLETED)',
     511 => 'Network Authentication Required'
   }.freeze
 
@@ -99,8 +100,8 @@ module Puma
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "6.2.2"
-    CODE_NAME = "Speaking of Now"
+    PUMA_VERSION = VERSION = "6.3.1"
+    CODE_NAME = "Mugi No Toki Itaru"
 
     PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
 
@@ -124,15 +125,15 @@ module Puma
       # Indicate that we couldn't parse the request
       400 => "HTTP/1.1 400 Bad Request\r\n\r\n",
       # The standard empty 404 response for bad requests.  Use Error4040Handler for custom stuff.
-      404 => "HTTP/1.1 404 Not Found\r\nConnection: close\r\nServer: Puma #{PUMA_VERSION}\r\n\r\nNOT FOUND",
+      404 => "HTTP/1.1 404 Not Found\r\nConnection: close\r\n\r\n",
       # The standard empty 408 response for requests that timed out.
-      408 => "HTTP/1.1 408 Request Timeout\r\nConnection: close\r\nServer: Puma #{PUMA_VERSION}\r\n\r\n",
+      408 => "HTTP/1.1 408 Request Timeout\r\nConnection: close\r\n\r\n",
       # Indicate that there was an internal error, obviously.
       500 => "HTTP/1.1 500 Internal Server Error\r\n\r\n",
       # Incorrect or invalid header value
       501 => "HTTP/1.1 501 Not Implemented\r\n\r\n",
       # A common header for indicating the server is too busy.  Not used yet.
-      503 => "HTTP/1.1 503 Service Unavailable\r\n\r\nBUSY"
+      503 => "HTTP/1.1 503 Service Unavailable\r\n\r\n"
     }.freeze
 
     # The basic max request size we'll try to read.
@@ -147,7 +148,55 @@ module Puma
 
     REQUEST_METHOD = "REQUEST_METHOD"
     HEAD = "HEAD"
+
+    # based on https://www.rfc-editor.org/rfc/rfc9110.html#name-overview,
+    # with CONNECT removed, and PATCH added
     SUPPORTED_HTTP_METHODS = %w[HEAD GET POST PUT DELETE OPTIONS TRACE PATCH].freeze
+
+    # list from https://www.iana.org/assignments/http-methods/http-methods.xhtml
+    # as of 04-May-23
+    IANA_HTTP_METHODS = %w[
+      ACL
+      BASELINE-CONTROL
+      BIND
+      CHECKIN
+      CHECKOUT
+      CONNECT
+      COPY
+      DELETE
+      GET
+      HEAD
+      LABEL
+      LINK
+      LOCK
+      MERGE
+      MKACTIVITY
+      MKCALENDAR
+      MKCOL
+      MKREDIRECTREF
+      MKWORKSPACE
+      MOVE
+      OPTIONS
+      ORDERPATCH
+      PATCH
+      POST
+      PRI
+      PROPFIND
+      PROPPATCH
+      PUT
+      REBIND
+      REPORT
+      SEARCH
+      TRACE
+      UNBIND
+      UNCHECKOUT
+      UNLINK
+      UNLOCK
+      UPDATE
+      UPDATEREDIRECTREF
+      VERSION-CONTROL
+    ].freeze
+
     # ETag is based on the apache standard of hex mtime-size-inode (inode is 0 on win32)
     LINE_END = "\r\n"
     REMOTE_ADDR = "REMOTE_ADDR"

data/lib/puma/dsl.rb

@@ -89,6 +89,7 @@ module Puma
 
         cert_flags = (cert = opts[:cert]) ? "cert=#{Puma::Util.escape(cert)}" : nil
         key_flags = (key = opts[:key]) ? "&key=#{Puma::Util.escape(key)}" : nil
+        password_flags = (password_command = opts[:key_password_command]) ? "&key_password_command=#{Puma::Util.escape(password_command)}" : nil
 
         reuse_flag =
           if (reuse = opts[:reuse])
@@ -114,7 +115,7 @@ module Puma
             nil
           end
 
-        "ssl://#{host}:#{port}?#{cert_flags}#{key_flags}#{ssl_cipher_filter}" \
+        "ssl://#{host}:#{port}?#{cert_flags}#{key_flags}#{password_flags}#{ssl_cipher_filter}" \
           "#{reuse_flag}&verify_mode=#{verify}#{tls_str}#{ca_additions}#{v_flags}#{backlog_str}#{low_latency_str}"
       end
     end
@@ -1066,6 +1067,38 @@ module Puma
       @options[:http_content_length_limit] = limit
     end
 
+    # Supported http methods, which will replace `Puma::Const::SUPPORTED_HTTP_METHODS`.
+    # The value of `:any` will allows all methods, otherwise, the value must be
+    # an array of strings.  Note that methods are all uppercase.
+    #
+    # `Puma::Const::SUPPORTED_HTTP_METHODS` is conservative, if you want a
+    # complete set of methods, the methods defined by the
+    # [IANA Method Registry](https://www.iana.org/assignments/http-methods/http-methods.xhtml)
+    # are pre-defined as the constant `Puma::Const::IANA_HTTP_METHODS`.
+    #
+    # @note If the `methods` value is `:any`, no method check with be performed,
+    #   similar to Puma v5 and earlier.
+    #
+    # @example Adds 'PROPFIND' to existing supported methods
+    #   supported_http_methods(Puma::Const::SUPPORTED_HTTP_METHODS + ['PROPFIND'])
+    # @example Restricts methods to the array elements
+    #   supported_http_methods %w[HEAD GET POST PUT DELETE OPTIONS PROPFIND]
+    # @example Restricts methods to the methods in the IANA Registry
+    #   supported_http_methods Puma::Const::IANA_HTTP_METHODS
+    # @example Allows any method
+    #   supported_http_methods :any
+    #
+    def supported_http_methods(methods)
+      if methods == :any
+        @options[:supported_http_methods] = :any
+      elsif Array === methods && methods == (ary = methods.grep(String).uniq) &&
+        !ary.empty?
+        @options[:supported_http_methods] = ary
+      else
+        raise "supported_http_methods must be ':any' or a unique array of strings"
+      end
+    end
+
     private
 
     # To avoid adding cert_pem and key_pem as URI params, we store them on the

data/lib/puma/log_writer.rb

@@ -125,7 +125,7 @@ module Puma
     def ssl_error(error, ssl_socket)
       peeraddr = ssl_socket.peeraddr.last rescue "<unknown>"
       peercert = ssl_socket.peercert
-      subject = peercert ? peercert.subject : nil
+      subject = peercert&.subject
       @error_logger.info(error: error, text: "SSL error, peer: #{peeraddr}, peer cert: #{subject}")
     end
 

data/lib/puma/minissl/context_builder.rb

@@ -38,6 +38,7 @@ module Puma
 
           ctx.key = params['key'] if params['key']
           ctx.key_pem = params['key_pem'] if params['key_pem']
+          ctx.key_password_command = params['key_password_command'] if params['key_password_command']
 
           if params['cert'].nil? && params['cert_pem'].nil?
             log_writer.error "Please specify the SSL cert via 'cert=' or 'cert_pem='"

data/lib/puma/minissl.rb

@@ -5,6 +5,7 @@ begin
 rescue LoadError
 end
 
+require 'open3'
 # need for Puma::MiniSSL::OPENSSL constants used in `HAS_TLS1_3`
 # use require, see https://github.com/puma/puma/pull/2381
 require 'puma/puma_http11'
@@ -277,6 +278,7 @@ module Puma
       else
         # non-jruby Context properties
         attr_reader :key
+        attr_reader :key_password_command
         attr_reader :cert
         attr_reader :ca
         attr_reader :cert_pem
@@ -291,6 +293,10 @@ module Puma
           @key = key
         end
 
+        def key_password_command=(key_password_command)
+          @key_password_command = key_password_command
+        end
+
         def cert=(cert)
           check_file cert, 'Cert'
           @cert = cert
@@ -316,6 +322,17 @@ module Puma
           raise "Cert not configured" if @cert.nil? && @cert_pem.nil?
         end
 
+        # Executes the command to return the password needed to decrypt the key.
+        def key_password
+          raise "Key password command not configured" if @key_password_command.nil?
+
+          stdout_str, stderr_str, status = Open3.capture3(@key_password_command)
+
+          return stdout_str.chomp if status.success?
+
+          raise "Key password failed with code #{status.exitstatus}: #{stderr_str}"
+        end
+
         # Controls session reuse.  Allowed values are as follows:
         # * 'off' - matches the behavior of Puma 5.6 and earlier.  This is included
         #   in case reuse 'on' is made the default in future Puma versions.

data/lib/puma/rack/builder.rb

@@ -173,7 +173,7 @@ module Puma::Rack
         TOPLEVEL_BINDING, file, 0
     end
 
-    def initialize(default_app = nil,&block)
+    def initialize(default_app = nil, &block)
       @use, @map, @run, @warmup = [], nil, default_app, nil
 
       # Conditionally load rack now, so that any rack middlewares,
@@ -183,7 +183,7 @@ module Puma::Rack
       rescue LoadError
       end
 
-      instance_eval(&block) if block_given?
+      instance_eval(&block) if block
     end
 
     def self.app(default_app = nil, &block)

data/lib/puma/rack_default.rb

@@ -11,7 +11,7 @@ if Object.const_defined? :Rackup
       end
     end
   end
-elsif Object.const_defined?(:Rack) && Rack::RELEASE < '3'
+elsif Object.const_defined?(:Rack) && Rack.release < '3'
   module Rack
     module Handler
       def self.default(options = {})

data/lib/puma/reactor.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require_relative 'queue_close' unless ::Queue.instance_methods.include? :close
-
 module Puma
   class UnsupportedBackend < StandardError; end
 
@@ -22,10 +20,12 @@ module Puma
     # its timeout elapses, or when the Reactor shuts down.
     def initialize(backend, &block)
       require 'nio'
-      unless backend == :auto || NIO::Selector.backends.include?(backend)
-        raise "unsupported IO selector backend: #{backend} (available backends: #{NIO::Selector.backends.join(', ')})"
+      valid_backends = [:auto, *::NIO::Selector.backends]
+      unless valid_backends.include?(backend)
+        raise ArgumentError.new("unsupported IO selector backend: #{backend} (available backends: #{valid_backends.join(', ')})")
       end
-      @selector = backend == :auto ? NIO::Selector.new : NIO::Selector.new(backend)
+
+      @selector = ::NIO::Selector.new(NIO::Selector.backends.delete(backend))
       @input = Queue.new
       @timeouts = []
       @block = block
@@ -67,6 +67,7 @@ module Puma
     private
 
     def select_loop
+      close_selector = true
       begin
         until @input.closed? && @input.empty?
           # Wakeup any registered object that receives incoming data.
@@ -89,11 +90,19 @@ module Puma
       rescue StandardError => e
         STDERR.puts "Error in reactor loop escaped: #{e.message} (#{e.class})"
         STDERR.puts e.backtrace
-        retry
+
+        # NoMethodError may be rarely raised when calling @selector.select, which
+        # is odd.  Regardless, it may continue for thousands of calls if retried.
+        # Also, when it raises, @selector.close also raises an error.
+        if NoMethodError === e
+          close_selector = false
+        else
+          retry
+        end
       end
       # Wakeup all remaining objects on shutdown.
       @timeouts.each(&@block)
-      @selector.close
+      @selector.close if close_selector
     end
 
     # Start monitoring the object.

data/lib/puma/request.rb

@@ -77,7 +77,9 @@ module Puma
       if @early_hints
         env[EARLY_HINTS] = lambda { |headers|
           begin
-            fast_write_str socket, str_early_hints(headers)
+            unless (str = str_early_hints headers).empty?
+              fast_write_str socket, "HTTP/1.1 103 Early Hints\r\n#{str}\r\n"
+            end
           rescue ConnectionError => e
             @log_writer.debug_error e
             # noop, if we lost the socket we just won't send the early hints
@@ -93,7 +95,7 @@ module Puma
       env[RACK_AFTER_REPLY] ||= []
 
       begin
-        if SUPPORTED_HTTP_METHODS.include?(env[REQUEST_METHOD])
+        if @supported_http_methods == :any || @supported_http_methods.key?(env[REQUEST_METHOD])
           status, headers, app_body = @thread_pool.with_force_shutdown do
             @app.call(env)
           end
@@ -418,7 +420,11 @@ module Puma
 
       unless env[REQUEST_PATH]
         # it might be a dumbass full host request header
-        uri = URI.parse(env[REQUEST_URI])
+        uri = begin
+          URI.parse(env[REQUEST_URI])
+        rescue URI::InvalidURIError
+          raise Puma::HttpParserError
+        end
         env[REQUEST_PATH] = uri.path
 
         # A nil env value will cause a LintError (and fatal errors elsewhere),
@@ -525,7 +531,7 @@ module Puma
     # @version 5.0.3
     #
     def str_early_hints(headers)
-      eh_str = +"HTTP/1.1 103 Early Hints\r\n"
+      eh_str = +""
       headers.each_pair do |k, vs|
         next if illegal_header_key?(k)
 
@@ -534,11 +540,11 @@ module Puma
             next if illegal_header_value?(v)
             eh_str << "#{k}: #{v}\r\n"
           end
-        else
+        elsif !(vs.to_s.empty? || !illegal_header_value?(vs))
           eh_str << "#{k}: #{vs}\r\n"
         end
       end
-      "#{eh_str}\r\n".freeze
+      eh_str.freeze
     end
     private :str_early_hints
 

data/lib/puma/server.rb

@@ -51,7 +51,7 @@ module Puma
     def_delegators :@binder, :add_tcp_listener, :add_ssl_listener,
       :add_unix_listener, :connected_ports
 
-    ThreadLocalKey = :puma_server
+    THREAD_LOCAL_KEY = :puma_server
 
     # Create a server for the rack app +app+.
     #
@@ -97,6 +97,18 @@ module Puma
       @io_selector_backend = @options[:io_selector_backend]
       @http_content_length_limit = @options[:http_content_length_limit]
 
+      # make this a hash, since we prefer `key?` over `include?`
+      @supported_http_methods =
+        if @options[:supported_http_methods] == :any
+          :any
+        else
+          if (ary = @options[:supported_http_methods])
+            ary
+          else
+            SUPPORTED_HTTP_METHODS
+          end.sort.product([nil]).to_h.freeze
+        end
+
       temp = !!(@options[:environment] =~ /\A(development|test)\z/)
       @leak_stack_on_error = @options[:environment] ? temp : true
 
@@ -118,7 +130,7 @@ module Puma
     class << self
       # @!attribute [r] current
       def current
-        Thread.current[ThreadLocalKey]
+        Thread.current[THREAD_LOCAL_KEY]
       end
 
       # :nodoc:
@@ -404,7 +416,7 @@ module Puma
     # Return true if one or more requests were processed.
     def process_client(client)
       # Advertise this server into the thread
-      Thread.current[ThreadLocalKey] = self
+      Thread.current[THREAD_LOCAL_KEY] = self
 
       clean_thread_locals = @options[:clean_thread_locals]
       close_socket = true
@@ -566,7 +578,7 @@ module Puma
 
     def notify_safely(message)
       @notify << message
-    rescue IOError, NoMethodError, Errno::EPIPE
+    rescue IOError, NoMethodError, Errno::EPIPE, Errno::EBADF
       # The server, in another thread, is shutting down
       Puma::Util.purge_interrupt_queue
     rescue RuntimeError => e

data/lib/puma/thread_pool.rb

@@ -44,6 +44,10 @@ module Puma
       @name = name
       @min = Integer(options[:min_threads])
       @max = Integer(options[:max_threads])
+      # Not an 'exposed' option, options[:pool_shutdown_grace_time] is used in CI
+      # to shorten @shutdown_grace_time from SHUTDOWN_GRACE_TIME. Parallel CI
+      # makes stubbing constants difficult.
+      @shutdown_grace_time = Float(options[:pool_shutdown_grace_time] || SHUTDOWN_GRACE_TIME)
       @block = block
       @out_of_band = options[:out_of_band]
       @clean_thread_locals = options[:clean_thread_locals]
@@ -344,8 +348,8 @@ module Puma
 
     # Tell all threads in the pool to exit and wait for them to finish.
     # Wait +timeout+ seconds then raise +ForceShutdown+ in remaining threads.
-    # Next, wait an extra +grace+ seconds then force-kill remaining threads.
-    # Finally, wait +kill_grace+ seconds for remaining threads to exit.
+    # Next, wait an extra +@shutdown_grace_time+ seconds then force-kill remaining
+    # threads. Finally, wait 1 second for remaining threads to exit.
     #
     def shutdown(timeout=-1)
       threads = with_mutex do
@@ -382,7 +386,7 @@ module Puma
             t.raise ForceShutdown if t[:with_force_shutdown]
           end
         end
-        join.call(SHUTDOWN_GRACE_TIME)
+        join.call(@shutdown_grace_time)
 
         # If threads are _still_ running, forcefully kill them and wait to finish.
         threads.each(&:kill)

data/lib/rack/handler/puma.rb

@@ -31,7 +31,11 @@ module Puma
 
       conf = ::Puma::Configuration.new(options, default_options.merge({events: @events})) do |user_config, file_config, default_config|
         if options.delete(:Verbose)
-          require 'rack/common_logger'
+          begin
+            require 'rack/commonlogger'  # Rack 1.x
+          rescue LoadError
+            require 'rack/common_logger' # Rack 2 and later
+          end
           app = ::Rack::CommonLogger.new(app, STDOUT)
         end
 
@@ -123,7 +127,7 @@ if Object.const_defined? :Rackup
     end
   end
 else
-  do_register = Object.const_defined?(:Rack) && Rack::RELEASE < '3'
+  do_register = Object.const_defined?(:Rack) && Rack.release < '3'
   module Rack
     module Handler
       module Puma

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 6.2.2
+  version: 6.3.1
 platform: ruby
 authors:
 - Evan Phoenix
@@ -145,7 +145,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.20
+rubygems_version: 3.4.12
 signing_key:
 specification_version: 4
 summary: Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for