puma 6.3.0-java → 6.3.1-java

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puma might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4ad102abd347c33f98c3a3a1000304ece5cbdbfe4bef67b4adbade6c91111cf0
4
- data.tar.gz: 8f9d1ce702bcffeac26ee1882c94603c29130ec61a21e6158d0c0b4cf69cc228
3
+ metadata.gz: 6f5e262555fc1a48fc5b142830e71c44508163d7a411374379e3b95cb9543161
4
+ data.tar.gz: ca0ca73ded268f1d35b8e1dcd9f8b852a19dcc513bb2f103241f21a18bf5cb2a
5
5
  SHA512:
6
- metadata.gz: f03c8f279ba9aa8139e056b1047a16c2e7f280cfbd9f3106c578d5782b8078dfd6d4c7ed3731066b20643f66bed6bcdf7b8a1e58fec429e0757940191e173dd0
7
- data.tar.gz: 28e109af79749191f8ea47247f66dcdd55ed74a53fcd3443e3e918a173e880ba8938fdea59aaa6c5abbfe8626358a2e52da50cf4df67e9fafa546bc9b3dc5db9
6
+ metadata.gz: 97563d93043490539f1d265e209c2356bc5beb35f5e7da2f3a7bb5ebb5ae25b0e675cd374e267c9cb32be81d7fc8a132344968154e68b7d9b257e9c09498c129
7
+ data.tar.gz: 628fbc77c3b36f5324e3a4baf57a9d445b7168c6e8751f4d37e7b0a6b0d20c2cae4311228c72562f3a4ff0b2c7edfb776e8e5477405688176c4378df8fa9fde0
data/History.md CHANGED
@@ -1,3 +1,8 @@
1
+ ## 6.3.1 / 2023-08-18
2
+
3
+ * Security
4
+ * Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields ([GHSA-68xg-gqqm-vgj8](https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8))
5
+
1
6
  ## 6.3.0 / 2023-05-31
2
7
 
3
8
  * Features
data/lib/puma/client.rb CHANGED
@@ -49,7 +49,8 @@ module Puma
49
49
 
50
50
  # chunked body validation
51
51
  CHUNK_SIZE_INVALID = /[^\h]/.freeze
52
- CHUNK_VALID_ENDING = "\r\n".freeze
52
+ CHUNK_VALID_ENDING = Const::LINE_END
53
+ CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
53
54
 
54
55
  # Content-Length header value validation
55
56
  CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
@@ -382,8 +383,8 @@ module Puma
382
383
  cl = @env[CONTENT_LENGTH]
383
384
 
384
385
  if cl
385
- # cannot contain characters that are not \d
386
- if CONTENT_LENGTH_VALUE_INVALID.match? cl
386
+ # cannot contain characters that are not \d, or be empty
387
+ if CONTENT_LENGTH_VALUE_INVALID.match?(cl) || cl.empty?
387
388
  raise HttpParserError, "Invalid Content-Length: #{cl.inspect}"
388
389
  end
389
390
  else
@@ -544,7 +545,7 @@ module Puma
544
545
 
545
546
  while !io.eof?
546
547
  line = io.gets
547
- if line.end_with?("\r\n")
548
+ if line.end_with?(CHUNK_VALID_ENDING)
548
549
  # Puma doesn't process chunk extensions, but should parse if they're
549
550
  # present, which is the reason for the semicolon regex
550
551
  chunk_hex = line.strip[/\A[^;]+/]
@@ -556,13 +557,19 @@ module Puma
556
557
  @in_last_chunk = true
557
558
  @body.rewind
558
559
  rest = io.read
559
- last_crlf_size = "\r\n".bytesize
560
- if rest.bytesize < last_crlf_size
560
+ if rest.bytesize < CHUNK_VALID_ENDING_SIZE
561
561
  @buffer = nil
562
- @partial_part_left = last_crlf_size - rest.bytesize
562
+ @partial_part_left = CHUNK_VALID_ENDING_SIZE - rest.bytesize
563
563
  return false
564
564
  else
565
- @buffer = rest[last_crlf_size..-1]
565
+ # if the next character is a CRLF, set buffer to everything after that CRLF
566
+ start_of_rest = if rest.start_with?(CHUNK_VALID_ENDING)
567
+ CHUNK_VALID_ENDING_SIZE
568
+ else # we have started a trailer section, which we do not support. skip it!
569
+ rest.index(CHUNK_VALID_ENDING*2) + CHUNK_VALID_ENDING_SIZE*2
570
+ end
571
+
572
+ @buffer = rest[start_of_rest..-1]
566
573
  @buffer = nil if @buffer.empty?
567
574
  set_ready
568
575
  return true
data/lib/puma/const.rb CHANGED
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "6.3.0"
103
+ PUMA_VERSION = VERSION = "6.3.1"
104
104
  CODE_NAME = "Mugi No Toki Itaru"
105
105
 
106
106
  PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
Binary file
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.3.0
4
+ version: 6.3.1
5
5
  platform: java
6
6
  authors:
7
7
  - Evan Phoenix
@@ -17,8 +17,8 @@ dependencies:
17
17
  - !ruby/object:Gem::Version
18
18
  version: '2.0'
19
19
  name: nio4r
20
- prerelease: false
21
20
  type: :runtime
21
+ prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
@@ -145,7 +145,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
145
145
  - !ruby/object:Gem::Version
146
146
  version: '0'
147
147
  requirements: []
148
- rubygems_version: 3.2.33
148
+ rubygems_version: 3.3.26
149
149
  signing_key:
150
150
  specification_version: 4
151
151
  summary: Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for