puma 6.4.2-java → 6.4.3-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/History.md +10 -0
  3. data/ext/puma_http11/org/jruby/puma/Http11.java +2 -0
  4. data/lib/puma/const.rb +9 -1
  5. data/lib/puma/puma_http11.jar +0 -0
  6. data/lib/puma/request.rb +16 -3
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1736c6dd01c94d6cf6a109965156ec60ec8a9deb17b42bdabc198f79d1b72c1a
4
- data.tar.gz: 58e70495466aa055fc76038a23cf394167ca393959ab7bfa8a55306a7506f1ac
3
+ metadata.gz: 2c64abd1fab8a1c0fba14f0294713f8e903c8fecd721c7f057dfdbe0805747fc
4
+ data.tar.gz: a402d2a1cae3e79f46cfb6d896962edbf267afedc0d3875a1da461a6512d8d57
5
5
  SHA512:
6
- metadata.gz: 5ee67bed8910a53a217a6d9f799cf7a64f145d5a80a0cbea224949e3ae2fe76ae31dc5e5991a7983f71cbe34836ef568cab41a6d0ae5ca7d21cf0f87b8fac09e
7
- data.tar.gz: '0085fa5bd8492707be9c52b3618c0663a06a2aad62e5fe60b66521d51572f8159d22f5f14b265314c1a094bec0d506dabef74c514fb8813d9a31d9f5395bfd3d'
6
+ metadata.gz: bbf05e7a426685b8122a443bf2c658f1c9f98ff66125953a34174ccfff3a3340f63eeac5adb93c25c563e67d830741fe35c8a9555acdda4d51e59159a1954cc5
7
+ data.tar.gz: 668bd2b0817bd8da6a2bfcf9ad8eb5c7383b3911a112e75c6547d4e7daa21e5d0c8bbf44a010dae88a939d492e109a5197746380e4c21805bcb50228b790af80
data/History.md CHANGED
@@ -1,3 +1,8 @@
1
+ ## 6.4.3 / 2024-09-19
2
+
3
+ * Security
4
+ * Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). ([CVE-2024-45614](https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4)/GHSA-9hf4-67fc-4vf4)
5
+
1
6
  ## 6.4.2 / 2024-01-08
2
7
 
3
8
  * Security
@@ -173,6 +178,11 @@
173
178
  * Ruby 3.2 will have native IO#wait_* methods, don't require io/wait ([#2903])
174
179
  * Various internal API refactorings ([#2942], [#2921], [#2922], [#2955])
175
180
 
181
+ ## 5.6.9 / 2024-09-19
182
+
183
+ * Security
184
+ * Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). ([CVE-2024-45614](https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4)/GHSA-9hf4-67fc-4vf4)
185
+
176
186
  ## 5.6.8 / 2024-01-08
177
187
 
178
188
  * Security
data/ext/puma_http11/org/jruby/puma/Http11.java CHANGED
@@ -99,6 +99,8 @@ public class Http11 extends RubyObject {
99
99
  int bite = b.get(i) & 0xFF;
100
100
  if(bite == '-') {
101
101
  b.set(i, (byte)'_');
102
+ } else if(bite == '_') {
103
+ b.set(i, (byte)',');
102
104
  } else {
103
105
  b.set(i, (byte)Character.toUpperCase(bite));
104
106
  }
data/lib/puma/const.rb CHANGED
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "6.4.2"
103
+ PUMA_VERSION = VERSION = "6.4.3"
104
104
  CODE_NAME = "The Eagle of Durango"
105
105
 
106
106
  PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
@@ -281,6 +281,14 @@ module Puma
281
281
  # header values can contain HTAB?
282
282
  ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
283
283
 
284
+ # The keys of headers that should not be convert to underscore
285
+ # normalized versions. These headers are ignored at the request reading layer,
286
+ # but if we normalize them after reading, it's just confusing for the application.
287
+ UNMASKABLE_HEADERS = {
288
+ "HTTP_TRANSFER,ENCODING" => true,
289
+ "HTTP_CONTENT,LENGTH" => true,
290
+ }
291
+
284
292
  # Banned keys of response header
285
293
  BANNED_HEADER_KEY = /\A(rack\.|status\z)/.freeze
286
294
 
data/lib/puma/puma_http11.jar CHANGED
Binary file
data/lib/puma/request.rb CHANGED
@@ -495,6 +495,11 @@ module Puma
495
495
  # compatibility, we'll convert them back. This code is written to
496
496
  # avoid allocation in the common case (ie there are no headers
497
497
  # with `,` in their names), that's why it has the extra conditionals.
498
+ #
499
+ # @note If a normalized version of a `,` header already exists, we ignore
500
+ # the `,` version. This prevents clobbering headers managed by proxies
501
+ # but not by clients (Like X-Forwarded-For).
502
+ #
498
503
  # @param env [Hash] see Puma::Client#env, from request, modifies in place
499
504
  # @version 5.0.3
500
505
  #
@@ -503,23 +508,31 @@ module Puma
503
508
  to_add = nil
504
509
 
505
510
  env.each do |k,v|
506
- if k.start_with?("HTTP_") && k.include?(",") && k != "HTTP_TRANSFER,ENCODING"
511
+ if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k)
507
512
  if to_delete
508
513
  to_delete << k
509
514
  else
510
515
  to_delete = [k]
511
516
  end
512
517
 
518
+ new_k = k.tr(",", "_")
519
+ if env.key?(new_k)
520
+ next
521
+ end
522
+
513
523
  unless to_add
514
524
  to_add = {}
515
525
  end
516
526
 
517
- to_add[k.tr(",", "_")] = v
527
+ to_add[new_k] = v
518
528
  end
519
529
  end
520
530
 
521
- if to_delete
531
+ if to_delete # rubocop:disable Style/SafeNavigation
522
532
  to_delete.each { |k| env.delete(k) }
533
+ end
534
+
535
+ if to_add
523
536
  env.merge! to_add
524
537
  end
525
538
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.4.2
4
+ version: 6.4.3
5
5
  platform: java
6
6
  authors:
7
7
  - Evan Phoenix
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-01-08 00:00:00.000000000 Z
11
+ date: 2024-09-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement