puma 7.2.0 → 8.0.2

data/lib/puma/binder.rb

@@ -90,7 +90,7 @@ module Puma
     # @version 5.0.0
     #
     def create_activated_fds(env_hash)
-      @log_writer.debug "ENV['LISTEN_FDS'] #{@env['LISTEN_FDS'].inspect}  env_hash['LISTEN_PID'] #{env_hash['LISTEN_PID'].inspect}"
+      @log_writer.debug { "ENV['LISTEN_FDS'] #{@env['LISTEN_FDS'].inspect}  env_hash['LISTEN_PID'] #{env_hash['LISTEN_PID'].inspect}" }
       return [] unless env_hash['LISTEN_FDS'] && env_hash['LISTEN_PID'].to_i == $$
       env_hash['LISTEN_FDS'].to_i.times do |index|
         sock = TCPServer.for_fd(socket_activation_fd(index))
@@ -102,7 +102,7 @@ module Puma
           [:tcp, addr, port]
         end
         @activated_sockets[key] = sock
-        @log_writer.debug "Registered #{key.join ':'} for activation from LISTEN_FDS"
+        @log_writer.debug { "Registered #{key.join ':'} for activation from LISTEN_FDS" }
       end
       ["LISTEN_FDS", "LISTEN_PID"] # Signal to remove these keys from ENV
     end

data/lib/puma/cli.rb

@@ -148,7 +148,7 @@ module Puma
 
           o.on "-p", "--port PORT", "Define the TCP port to bind to",
             "Use -b for more advanced options" do |arg|
-            user_config.bind "tcp://#{Configuration::DEFAULTS[:tcp_host]}:#{arg}"
+            user_config.port arg, Configuration.default_tcp_host
           end
 
           o.on "--pidfile PATH", "Use PATH as a pidfile" do |arg|

data/lib/puma/client.rb

@@ -2,6 +2,7 @@
 
 require_relative 'detect'
 require_relative 'io_buffer'
+require_relative 'client_env'
 require 'tempfile'
 
 if Puma::IS_JRUBY
@@ -20,8 +21,8 @@ module Puma
   #———————————————————————— DO NOT USE — this class is for internal use only ———
 
 
-  # An instance of this class represents a unique request from a client.
-  # For example, this could be a web request from a browser or from CURL.
+  # An instance of this class wraps a connection/socket.
+  # For example, this could be an http request from a browser or from CURL.
   #
   # An instance of `Puma::Client` can be used as if it were an IO object
   # by the reactor. The reactor is expected to call `#to_io`
@@ -29,12 +30,18 @@ module Puma
   # `IO::try_convert` (which may call `#to_io`) when a new socket is
   # registered.
   #
-  # Instances of this class are responsible for knowing if
-  # the header and body are fully buffered via the `try_to_finish` method.
+  # Instances of this class are responsible for knowing if the request line,
+  # headers and body are fully buffered and verified via the `try_to_finish` method.
+  # All verification of each request is done in the `Client` object.
   # They can be used to "time out" a response via the `timeout_at` reader.
   #
+  # Most of the code for env processing and verification is contained
+  # in `Puma::ClientEnv`, which is included.
+  #
   class Client # :nodoc:
 
+    include ClientEnv
+
     # this tests all values but the last, which must be chunked
     ALLOWED_TRANSFER_ENCODING = %w[compress deflate gzip].freeze
 
@@ -65,7 +72,13 @@ module Puma
     # no body share this one object since it has no state.
     EmptyBody = NullIO.new
 
-    include Puma::Const
+    attr_reader :env, :to_io, :body, :io, :timeout_at, :ready, :hijacked,
+                :tempfile, :io_buffer, :http_content_length_limit_exceeded,
+                :requests_served, :error_status_code
+
+    attr_writer :peerip, :http_content_length_limit, :supported_http_methods
+
+    attr_accessor :remote_addr_header, :listener, :env_set_http_version
 
     def initialize(io, env=nil)
       @io = io
@@ -91,7 +104,8 @@ module Puma
       @hijacked = false
 
       @http_content_length_limit = nil
-      @http_content_length_limit_exceeded = false
+      @http_content_length_limit_exceeded = nil
+      @error_status_code = nil
 
       @peerip = nil
       @peer_family = nil
@@ -107,14 +121,6 @@ module Puma
       @read_buffer = String.new # rubocop: disable Performance/UnfreezeString
     end
 
-    attr_reader :env, :to_io, :body, :io, :timeout_at, :ready, :hijacked,
-                :tempfile, :io_buffer, :http_content_length_limit_exceeded,
-                :requests_served
-
-    attr_writer :peerip, :http_content_length_limit
-
-    attr_accessor :remote_addr_header, :listener
-
     # Remove in Puma 7?
     def closed?
       @to_io.closed?
@@ -157,14 +163,15 @@ module Puma
       @parser.reset
       @io_buffer.reset
       @read_header = true
-      @read_proxy = !!@expect_proxy_proto
+      @read_proxy = !!@expect_proxy_proto && @requests_served.zero?
       @env = @proto_env.dup
       @parsed_bytes = 0
       @ready = false
       @body_remain = 0
       @peerip = nil if @remote_addr_header
       @in_last_chunk = false
-      @http_content_length_limit_exceeded = false
+      @http_content_length_limit_exceeded = nil
+      @error_status_code = nil
     end
 
     # only used with back-to-back requests contained in the buffer
@@ -174,12 +181,7 @@ module Puma
 
         @parsed_bytes = parser_execute
 
-        if @parser.finished?
-          return setup_body
-        elsif @parsed_bytes >= MAX_HEADER
-          raise HttpParserError,
-            "HEADER is longer than allowed, aborting client early."
-        end
+        @parser.finished? ? process_env_body : false
       end
     end
 
@@ -211,37 +213,42 @@ module Puma
     def try_to_parse_proxy_protocol
       if @read_proxy
         if @expect_proxy_proto == :v1
-          if @buffer.include? "\r\n"
-            if md = PROXY_PROTOCOL_V1_REGEX.match(@buffer)
-              if md[1]
-                @peerip = md[1].split(" ")[0]
+          crlf_index = @buffer.index "\r\n"
+
+          unless crlf_index
+            if "PROXY ".start_with? @buffer
+              return false
+            elsif @buffer.start_with? "PROXY "
+              if @buffer.bytesize >= PROXY_PROTOCOL_V1_MAX_LENGTH
+                raise ConnectionError, "PROXY protocol v1 line is too long"
               end
-              @buffer = md.post_match
+              return false
             end
-            # if the buffer has a \r\n but doesn't have a PROXY protocol
-            # request, this is just HTTP from a non-PROXY client; move on
+
             @read_proxy = false
-            return @buffer.size > 0
-          else
-            return false
+            return true
+          end
+
+          if @buffer.start_with?("PROXY ") && crlf_index + 2 > PROXY_PROTOCOL_V1_MAX_LENGTH
+            raise ConnectionError, "PROXY protocol v1 line is too long"
           end
+
+          if md = PROXY_PROTOCOL_V1_REGEX.match(@buffer)
+            if md[1]
+              @peerip = md[1].split(" ")[0]
+            end
+            @buffer = md.post_match
+          end
+          # if the buffer has a \r\n but doesn't have a PROXY protocol
+          # request, this is just HTTP from a non-PROXY client; move on
+          @read_proxy = false
+          return @buffer.size > 0
         end
       end
       true
     end
 
     def try_to_finish
-      if env[CONTENT_LENGTH] && above_http_content_limit(env[CONTENT_LENGTH].to_i)
-        @http_content_length_limit_exceeded = true
-      end
-
-      if @http_content_length_limit_exceeded
-        @buffer = nil
-        @body = EmptyBody
-        set_ready
-        return true
-      end
-
       return read_body if in_data_phase
 
       data = nil
@@ -272,18 +279,7 @@ module Puma
 
       @parsed_bytes = parser_execute
 
-      if @parser.finished? && above_http_content_limit(@parser.body.bytesize)
-        @http_content_length_limit_exceeded = true
-      end
-
-      if @parser.finished?
-        setup_body
-      elsif @parsed_bytes >= MAX_HEADER
-        raise HttpParserError,
-          "HEADER is longer than allowed, aborting client early."
-      else
-        false
-      end
+      @parser.finished? ? process_env_body : false
     end
 
     def eagerly_finish
@@ -303,7 +299,12 @@ module Puma
     # @return [Integer] bytes of buffer read by parser
     #
     def parser_execute
-      @parser.execute(@env, @buffer, @parsed_bytes)
+      ret = @parser.execute(@env, @buffer, @parsed_bytes)
+
+      if @env[REQUEST_METHOD] && @supported_http_methods != :any && !@supported_http_methods.key?(@env[REQUEST_METHOD])
+        raise HttpParserError501, "#{@env[REQUEST_METHOD]} method is not supported"
+      end
+      ret
     rescue => e
       @env[HTTP_CONNECTION] = 'close'
       raise e unless HttpParserError === e && e.message.include?('non-SSL')
@@ -337,6 +338,15 @@ module Puma
       end
     end
 
+    # processes the `env` and the request body
+    def process_env_body
+      temp = setup_body
+      normalize_env
+      req_env_post_parse
+      raise HttpParserError if @error_status_code
+      temp
+    end
+
     def timeout!
       write_error(408) if in_data_phase
       raise ConnectionError
@@ -353,12 +363,12 @@ module Puma
       return @peerip if @peerip
 
       if @remote_addr_header
-        hdr = (@env[@remote_addr_header] || @io.peeraddr.last).split(/[\s,]/).first
+        hdr = (@env[@remote_addr_header] || socket_peerip).split(/[\s,]/).first
         @peerip = hdr
         return hdr
       end
 
-      @peerip ||= @io.peeraddr.last
+      @peerip ||= socket_peerip
     end
 
     def peer_family
@@ -393,19 +403,36 @@ module Puma
 
     private
 
+    IPV4_MAPPED_IPV6_PREFIX = "::ffff:"
+    private_constant :IPV4_MAPPED_IPV6_PREFIX
+
+    def socket_peerip
+      unmap_ipv6(@io.peeraddr.last)
+    end
+
+    # Converts IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) back to
+    # their IPv4 form. These addresses appear when IPv4 clients connect to
+    # a dual-stack IPv6 socket.
+    def unmap_ipv6(addr)
+      addr.delete_prefix(IPV4_MAPPED_IPV6_PREFIX)
+    end
+
+    # Checks the request `Transfer-Encoding` and/or `Content-Length` to see if
+    # they are valid.  Raises errors if not, otherwise reads the body.
+    # @return [Boolean] true if the body can be completely read, false otherwise
+    #
     def setup_body
       @body_read_start = Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_millisecond)
 
       if @env[HTTP_EXPECT] == CONTINUE
-        # TODO allow a hook here to check the headers before
-        # going forward
+        # TODO allow a hook here to check the headers before going forward
         @io << HTTP_11_100
         @io.flush
       end
 
       @read_header = false
 
-      body = @parser.body
+      parser_body = @parser.body
 
       te = @env[TRANSFER_ENCODING2]
       if te
@@ -422,10 +449,10 @@ module Puma
             raise HttpParserError501, "#{TE_ERR_MSG}, unknown value: '#{te}'"
           end
           @env.delete TRANSFER_ENCODING2
-          return setup_chunked_body body
+          return setup_chunked_body parser_body
         elsif te_lwr == CHUNKED
           @env.delete TRANSFER_ENCODING2
-          return setup_chunked_body body
+          return setup_chunked_body parser_body
         elsif ALLOWED_TRANSFER_ENCODING.include? te_lwr
           raise HttpParserError     , "#{TE_ERR_MSG}, single value must be chunked: '#{te}'"
         else
@@ -440,10 +467,12 @@ module Puma
       if cl
         # cannot contain characters that are not \d, or be empty
         if CONTENT_LENGTH_VALUE_INVALID.match?(cl) || cl.empty?
+          @error_status_code = 400
+          @env[HTTP_CONNECTION] = 'close'
           raise HttpParserError, "Invalid Content-Length: #{cl.inspect}"
         end
       else
-        @buffer = body.empty? ? nil : body
+        @buffer = parser_body.empty? ? nil : parser_body
         @body = EmptyBody
         set_ready
         return true
@@ -451,23 +480,25 @@ module Puma
 
       content_length = cl.to_i
 
-      remain = content_length - body.bytesize
+      raise_above_http_content_limit if @http_content_length_limit&.< content_length
+
+      remain = content_length - parser_body.bytesize
 
       if remain <= 0
-        # Part of the body is a pipelined request OR garbage. We'll deal with that later.
+        # Part of the parser_body is a pipelined request OR garbage. We'll deal with that later.
         if content_length == 0
           @body = EmptyBody
-          if body.empty?
+          if parser_body.empty?
             @buffer = nil
           else
-            @buffer = body
+            @buffer = parser_body
           end
         elsif remain == 0
-          @body = StringIO.new body
+          @body = StringIO.new parser_body
           @buffer = nil
         else
-          @body = StringIO.new(body[0,content_length])
-          @buffer = body[content_length..-1]
+          @body = StringIO.new(parser_body[0,content_length])
+          @buffer = parser_body[content_length..-1]
         end
         set_ready
         return true
@@ -479,12 +510,12 @@ module Puma
         @body.binmode
         @tempfile = @body
       else
-        # The body[0,0] trick is to get an empty string in the same
-        # encoding as body.
-        @body = StringIO.new body[0,0]
+        # The parser_body[0,0] trick is to get an empty string in the same
+        # encoding as parser_body.
+        @body = StringIO.new parser_body[0,0]
       end
 
-      @body.write body
+      @body.write parser_body
 
       @body_remain = remain
 
@@ -577,6 +608,10 @@ module Puma
 
     # @version 5.0.0
     def write_chunk(str)
+      if @http_content_length_limit&.< @chunked_content_length + str.bytesize
+        raise_above_http_content_limit
+      end
+
       @chunked_content_length += @body.write(str)
     end
 
@@ -709,8 +744,13 @@ module Puma
       @ready = true
     end
 
-    def above_http_content_limit(value)
-      @http_content_length_limit&.< value
+    def raise_above_http_content_limit
+      @http_content_length_limit_exceeded = true
+      @buffer = nil
+      @body = EmptyBody
+      @error_status_code = 413
+      @env[HTTP_CONNECTION] = 'close'
+      raise HttpParserError, "Payload Too Large"
     end
   end
 end

data/lib/puma/client_env.rb

@@ -0,0 +1,171 @@
+# frozen_string_literal: true
+
+module Puma
+
+  #———————————————————————— DO NOT USE — this class is for internal use only ———
+
+
+  # This module is included in `Client`.  It contains code to process the `env`
+  # before it is passed to the app.
+  #
+  module ClientEnv # :nodoc:
+
+    include Puma::Const
+
+    # Given a Hash +env+ for the request read from +client+, add
+    # and fixup keys to comply with Rack's env guidelines.
+    # @param env [Hash] see Puma::Client#env, from request
+    # @param client [Puma::Client] only needed for Client#peerip
+    #
+    def normalize_env
+      if host = @env[HTTP_HOST]
+        # host can be a hostname, ipv4 or bracketed ipv6. Followed by an optional port.
+        if colon = host.rindex("]:") # IPV6 with port
+          @env[SERVER_NAME] = host[0, colon+1]
+          @env[SERVER_PORT] = host[colon+2, host.bytesize]
+        elsif !host.start_with?("[") && colon = host.index(":") # not hostname or IPV4 with port
+          @env[SERVER_NAME] = host[0, colon]
+          @env[SERVER_PORT] = host[colon+1, host.bytesize]
+        else
+          @env[SERVER_NAME] = host
+          @env[SERVER_PORT] = default_server_port
+        end
+      else
+        @env[SERVER_NAME] = LOCALHOST
+        @env[SERVER_PORT] = default_server_port
+      end
+
+      unless @env[REQUEST_PATH]
+        # it might be a dumbass full host request header
+        uri = begin
+          URI.parse(@env[REQUEST_URI])
+        rescue URI::InvalidURIError
+          raise Puma::HttpParserError
+        end
+        @env[REQUEST_PATH] = uri.path
+
+        # A nil env value will cause a LintError (and fatal errors elsewhere),
+        # so only set the env value if there actually is a value.
+        @env[QUERY_STRING] = uri.query if uri.query
+      end
+
+      @env[PATH_INFO] = @env[REQUEST_PATH].to_s # #to_s in case it's nil
+
+      # From https://www.ietf.org/rfc/rfc3875 :
+      # "Script authors should be aware that the REMOTE_ADDR and
+      # REMOTE_HOST meta-variables (see sections 4.1.8 and 4.1.9)
+      # may not identify the ultimate source of the request.
+      # They identify the client for the immediate request to the
+      # server; that client may be a proxy, gateway, or other
+      # intermediary acting on behalf of the actual source client."
+      #
+
+      unless @env.key?(REMOTE_ADDR)
+        begin
+          addr = peerip
+        rescue Errno::ENOTCONN
+          # Client disconnects can result in an inability to get the
+          # peeraddr from the socket; default to unspec.
+          if peer_family == Socket::AF_INET6
+            addr = UNSPECIFIED_IPV6
+          else
+            addr = UNSPECIFIED_IPV4
+          end
+        end
+
+        # Set unix socket addrs to localhost
+        if addr.empty?
+          addr = peer_family == Socket::AF_INET6 ? LOCALHOST_IPV6 : LOCALHOST_IPV4
+        end
+
+        @env[REMOTE_ADDR] = addr
+      end
+
+      # The legacy HTTP_VERSION header can be sent as a client header.
+      # Rack v4 may remove using HTTP_VERSION.  If so, remove this line.
+      @env[HTTP_VERSION] = @env[SERVER_PROTOCOL] if @env_set_http_version
+
+      @env[PUMA_SOCKET] = @io
+
+      if @env[HTTPS_KEY] && @io.peercert
+        @env[PUMA_PEERCERT] = @io.peercert
+      end
+
+      @env[HIJACK_P] = true
+      @env[HIJACK] = method(:full_hijack).to_proc
+
+      @env[RACK_INPUT] = @body || EmptyBody
+      @env[RACK_URL_SCHEME] ||= default_server_port == PORT_443 ? HTTPS : HTTP
+    end
+
+    # Fixup any headers with `,` in the name to have `_` now. We emit
+    # headers with `,` in them during the parse phase to avoid ambiguity
+    # with the `-` to `_` conversion for critical headers. But here for
+    # compatibility, we'll convert them back. This code is written to
+    # avoid allocation in the common case (ie there are no headers
+    # with `,` in their names), that's why it has the extra conditionals.
+    #
+    # @note If a normalized version of a `,` header already exists, we ignore
+    #       the `,` version. This prevents clobbering headers managed by proxies
+    #       but not by clients (Like X-Forwarded-For).
+    #
+    # @param env [Hash] see Puma::Client#env, from request, modifies in place
+    # @version 5.0.3
+    #
+    def req_env_post_parse
+      to_delete = nil
+      to_add = nil
+
+      @env.each do |k,v|
+        if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k)
+          if to_delete
+            to_delete << k
+          else
+            to_delete = [k]
+          end
+
+          new_k = k.tr(",", "_")
+          if @env.key?(new_k)
+            next
+          end
+
+          unless to_add
+            to_add = {}
+          end
+
+          to_add[new_k] = v
+        end
+      end
+
+      if to_delete # rubocop:disable Style/SafeNavigation
+        to_delete.each { |k| env.delete(k) }
+      end
+
+      if to_add
+        @env.merge! to_add
+      end
+
+      # A rack extension. If the app writes #call'ables to this
+      # array, we will invoke them when the request is done.
+      #
+      env[RACK_AFTER_REPLY] ||= []
+      env[RACK_RESPONSE_FINISHED] ||= []
+    end
+
+    HTTP_ON_VALUES = { "on" => true, HTTPS => true }
+    private_constant :HTTP_ON_VALUES
+
+    # @return [Puma::Const::PORT_443,Puma::Const::PORT_80]
+    #
+    def default_server_port
+      if HTTP_ON_VALUES[@env[HTTPS_KEY]] ||
+          @env[HTTP_X_FORWARDED_PROTO]&.start_with?(HTTPS) ||
+          @env[HTTP_X_FORWARDED_SCHEME] == HTTPS ||
+          @env[HTTP_X_FORWARDED_SSL] == "on"
+        PORT_443
+      else
+        PORT_80
+      end
+    end
+  end
+end

data/lib/puma/cluster.rb

@@ -87,7 +87,7 @@ module Puma
         end
 
         debug "Spawned worker: #{pid}"
-        @workers << WorkerHandle.new(idx, pid, @phase, @options)
+        @workers.insert(idx, WorkerHandle.new(idx, pid, @phase, @options))
       end
 
       if @options[:fork_worker] && all_workers_in_phase?