puma 6.4.1-java → 6.4.2-java

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puma might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 303909622ccfa9f081111d7b046bfa52b8fe9fdd123591a40093b2943907a0ed
4
- data.tar.gz: 30c160957bc8ceeef7a6f92496b7c585e8c33efa7f7e74cb29f3ffbd9d1aa417
3
+ metadata.gz: 1736c6dd01c94d6cf6a109965156ec60ec8a9deb17b42bdabc198f79d1b72c1a
4
+ data.tar.gz: 58e70495466aa055fc76038a23cf394167ca393959ab7bfa8a55306a7506f1ac
5
5
  SHA512:
6
- metadata.gz: 9828cf04803dc2a84025567f5777dd43c9ffdaeb92b8731caf88ebd58560d4470984afc3653b3e69b3a8769e0dcf422833b5478f6ce3c9ed1a5b44d6b83ab46c
7
- data.tar.gz: 4cf1e28a1707c35bf0efd914aacdc918e3698c21f740b8a8882c368102b7ba72cd0f4bbc6d2e05c325f39ac9796ce45b7727235b41d2cd95c77150990d477147
6
+ metadata.gz: 5ee67bed8910a53a217a6d9f799cf7a64f145d5a80a0cbea224949e3ae2fe76ae31dc5e5991a7983f71cbe34836ef568cab41a6d0ae5ca7d21cf0f87b8fac09e
7
+ data.tar.gz: '0085fa5bd8492707be9c52b3618c0663a06a2aad62e5fe60b66521d51572f8159d22f5f14b265314c1a094bec0d506dabef74c514fb8813d9a31d9f5395bfd3d'
data/History.md CHANGED
@@ -1,3 +1,8 @@
1
+ ## 6.4.2 / 2024-01-08
2
+
3
+ * Security
4
+ * Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
5
+
1
6
  ## 6.4.1 / 2024-01-03
2
7
 
3
8
  * Bugfixes
@@ -168,6 +173,11 @@
168
173
  * Ruby 3.2 will have native IO#wait_* methods, don't require io/wait ([#2903])
169
174
  * Various internal API refactorings ([#2942], [#2921], [#2922], [#2955])
170
175
 
176
+ ## 5.6.8 / 2024-01-08
177
+
178
+ * Security
179
+ * Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
180
+
171
181
  ## 5.6.7 / 2023-08-18
172
182
 
173
183
  * Security
data/lib/puma/client.rb CHANGED
@@ -51,6 +51,14 @@ module Puma
51
51
  CHUNK_VALID_ENDING = Const::LINE_END
52
52
  CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
53
53
 
54
+ # The maximum number of bytes we'll buffer looking for a valid
55
+ # chunk header.
56
+ MAX_CHUNK_HEADER_SIZE = 4096
57
+
58
+ # The maximum amount of excess data the client sends
59
+ # using chunk size extensions before we abort the connection.
60
+ MAX_CHUNK_EXCESS = 16 * 1024
61
+
54
62
  # Content-Length header value validation
55
63
  CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
56
64
 
@@ -496,6 +504,7 @@ module Puma
496
504
  @chunked_body = true
497
505
  @partial_part_left = 0
498
506
  @prev_chunk = ""
507
+ @excess_cr = 0
499
508
 
500
509
  @body = Tempfile.new(Const::PUMA_TMP_BASE)
501
510
  @body.unlink
@@ -577,6 +586,20 @@ module Puma
577
586
  end
578
587
  end
579
588
 
589
+ # Track the excess as a function of the size of the
590
+ # header vs the size of the actual data. Excess can
591
+ # go negative (and is expected to) when the body is
592
+ # significant.
593
+ # The additional of chunk_hex.size and 2 compensates
594
+ # for a client sending 1 byte in a chunked body over
595
+ # a long period of time, making sure that that client
596
+ # isn't accidentally eventually punished.
597
+ @excess_cr += (line.size - len - chunk_hex.size - 2)
598
+
599
+ if @excess_cr >= MAX_CHUNK_EXCESS
600
+ raise HttpParserError, "Maximum chunk excess detected"
601
+ end
602
+
580
603
  len += 2
581
604
 
582
605
  part = io.read(len)
@@ -604,6 +627,10 @@ module Puma
604
627
  @partial_part_left = len - part.size
605
628
  end
606
629
  else
630
+ if @prev_chunk.size + chunk.size >= MAX_CHUNK_HEADER_SIZE
631
+ raise HttpParserError, "maximum size of chunk header exceeded"
632
+ end
633
+
607
634
  @prev_chunk = line
608
635
  return false
609
636
  end
data/lib/puma/const.rb CHANGED
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "6.4.1"
103
+ PUMA_VERSION = VERSION = "6.4.2"
104
104
  CODE_NAME = "The Eagle of Durango"
105
105
 
106
106
  PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.4.1
4
+ version: 6.4.2
5
5
  platform: java
6
6
  authors:
7
7
  - Evan Phoenix
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-01-02 00:00:00.000000000 Z
11
+ date: 2024-01-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement