puma 6.4.1-java → 6.4.2-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/History.md +10 -0
- data/lib/puma/client.rb +27 -0
- data/lib/puma/const.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1736c6dd01c94d6cf6a109965156ec60ec8a9deb17b42bdabc198f79d1b72c1a
|
4
|
+
data.tar.gz: 58e70495466aa055fc76038a23cf394167ca393959ab7bfa8a55306a7506f1ac
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5ee67bed8910a53a217a6d9f799cf7a64f145d5a80a0cbea224949e3ae2fe76ae31dc5e5991a7983f71cbe34836ef568cab41a6d0ae5ca7d21cf0f87b8fac09e
|
7
|
+
data.tar.gz: '0085fa5bd8492707be9c52b3618c0663a06a2aad62e5fe60b66521d51572f8159d22f5f14b265314c1a094bec0d506dabef74c514fb8813d9a31d9f5395bfd3d'
|
data/History.md
CHANGED
@@ -1,3 +1,8 @@
|
|
1
|
+
## 6.4.2 / 2024-01-08
|
2
|
+
|
3
|
+
* Security
|
4
|
+
* Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
|
5
|
+
|
1
6
|
## 6.4.1 / 2024-01-03
|
2
7
|
|
3
8
|
* Bugfixes
|
@@ -168,6 +173,11 @@
|
|
168
173
|
* Ruby 3.2 will have native IO#wait_* methods, don't require io/wait ([#2903])
|
169
174
|
* Various internal API refactorings ([#2942], [#2921], [#2922], [#2955])
|
170
175
|
|
176
|
+
## 5.6.8 / 2024-01-08
|
177
|
+
|
178
|
+
* Security
|
179
|
+
* Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
|
180
|
+
|
171
181
|
## 5.6.7 / 2023-08-18
|
172
182
|
|
173
183
|
* Security
|
data/lib/puma/client.rb
CHANGED
@@ -51,6 +51,14 @@ module Puma
|
|
51
51
|
CHUNK_VALID_ENDING = Const::LINE_END
|
52
52
|
CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
|
53
53
|
|
54
|
+
# The maximum number of bytes we'll buffer looking for a valid
|
55
|
+
# chunk header.
|
56
|
+
MAX_CHUNK_HEADER_SIZE = 4096
|
57
|
+
|
58
|
+
# The maximum amount of excess data the client sends
|
59
|
+
# using chunk size extensions before we abort the connection.
|
60
|
+
MAX_CHUNK_EXCESS = 16 * 1024
|
61
|
+
|
54
62
|
# Content-Length header value validation
|
55
63
|
CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
|
56
64
|
|
@@ -496,6 +504,7 @@ module Puma
|
|
496
504
|
@chunked_body = true
|
497
505
|
@partial_part_left = 0
|
498
506
|
@prev_chunk = ""
|
507
|
+
@excess_cr = 0
|
499
508
|
|
500
509
|
@body = Tempfile.new(Const::PUMA_TMP_BASE)
|
501
510
|
@body.unlink
|
@@ -577,6 +586,20 @@ module Puma
|
|
577
586
|
end
|
578
587
|
end
|
579
588
|
|
589
|
+
# Track the excess as a function of the size of the
|
590
|
+
# header vs the size of the actual data. Excess can
|
591
|
+
# go negative (and is expected to) when the body is
|
592
|
+
# significant.
|
593
|
+
# The additional of chunk_hex.size and 2 compensates
|
594
|
+
# for a client sending 1 byte in a chunked body over
|
595
|
+
# a long period of time, making sure that that client
|
596
|
+
# isn't accidentally eventually punished.
|
597
|
+
@excess_cr += (line.size - len - chunk_hex.size - 2)
|
598
|
+
|
599
|
+
if @excess_cr >= MAX_CHUNK_EXCESS
|
600
|
+
raise HttpParserError, "Maximum chunk excess detected"
|
601
|
+
end
|
602
|
+
|
580
603
|
len += 2
|
581
604
|
|
582
605
|
part = io.read(len)
|
@@ -604,6 +627,10 @@ module Puma
|
|
604
627
|
@partial_part_left = len - part.size
|
605
628
|
end
|
606
629
|
else
|
630
|
+
if @prev_chunk.size + chunk.size >= MAX_CHUNK_HEADER_SIZE
|
631
|
+
raise HttpParserError, "maximum size of chunk header exceeded"
|
632
|
+
end
|
633
|
+
|
607
634
|
@prev_chunk = line
|
608
635
|
return false
|
609
636
|
end
|
data/lib/puma/const.rb
CHANGED
@@ -100,7 +100,7 @@ module Puma
|
|
100
100
|
# too taxing on performance.
|
101
101
|
module Const
|
102
102
|
|
103
|
-
PUMA_VERSION = VERSION = "6.4.
|
103
|
+
PUMA_VERSION = VERSION = "6.4.2"
|
104
104
|
CODE_NAME = "The Eagle of Durango"
|
105
105
|
|
106
106
|
PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puma
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.4.
|
4
|
+
version: 6.4.2
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Evan Phoenix
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-01-
|
11
|
+
date: 2024-01-08 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|