RubyGems - puma - Versions diffs - 8.0.1-java → 8.0.2-java - Mend

puma 8.0.1-java → 8.0.2-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a38c45e1b22ea99d68806acf6531c365c9cf133bb313519110ed89edaffe5a9
-  data.tar.gz: 5f192c72add0cd60e50af737f6da9ef8ef8ca5562d2a0000f58a49c7200fbbd3
+  metadata.gz: ccf5cdd3f952f6ea55feda29b8899a36cc64ce8ecb5c79bb981f0450b7a74962
+  data.tar.gz: c0094d7ac6edb28c93ad7354b719fbd337278ff743f7b7ea7a4268736e12e70d
 SHA512:
-  metadata.gz: 5145a289341bde05e061cc6cca6896aaa7ad07ed6b2f46f0c824236b1787490265d91ff84e9d1f9a701b279efac5a4345f30c912943334f831787209a72eb4cf
-  data.tar.gz: 8d0cb9f0310aa6adbcdf5c44d3507a15e0a0dfaa4cc068decb63ff92ad95895a7cad5476a4f38f324abf0dd5e5d8496845c30b59ac1a92100e06bf60c558e0e1
+  metadata.gz: 6e371849168d7a0f5ba1d88c12083a7aec0c8530e518251da1d077bc90af3cccdd1fbf43c7166881a8e8a87e5b5ffdef9782cf863907bf9c2dae5ba4c6010d52
+  data.tar.gz: e85bb20d08fbdf474558b0abb8cead8de3e4a26373134c19872eb9eb8850ee92fd42c09987777c535cf6bcd50f1f2f7622282277ef36aaab6cce7d792a354e71

data/History.md CHANGED Viewed

@@ -1,3 +1,9 @@
+## 8.0.2 / 2026-05-27
+* Bugfixes
+  * Anchor PROXY protocol v1 regex to string start and enforce max line length to prevent injection via crafted request bodies ([#3944])
+  * Parse PROXY protocol header only on the first request per connection to prevent spoofing on keep-alive connections ([#3944])
 ## 8.0.1 / 2026-04-27
 * Bugfixes
@@ -2335,6 +2341,7 @@ be added back in a future date when a java Puma::MiniSSL is added.
 * Bugfixes
   * Your bugfix goes here <Most recent on the top, like GitHub> (#Github Number)
+[#3944]:https://github.com/puma/puma/pull/3944     "PR by Nate Berkopec, merged 2026-05-26"
 [#3929]:https://github.com/puma/puma/pull/3929     "PR by Joshua Young, merged 2026-04-26"
 [#3928]:https://github.com/puma/puma/pull/3928     "PR by Nate Berkopec, merged 2026-04-16"
 [#3923]:https://github.com/puma/puma/pull/3923     "PR by Joshua Young, merged 2026-04-10"

data/lib/puma/client.rb CHANGED Viewed

@@ -163,7 +163,7 @@ module Puma
       @parser.reset
       @io_buffer.reset
       @read_header = true
-      @read_proxy = !!@expect_proxy_proto
+      @read_proxy = !!@expect_proxy_proto && @requests_served.zero?
       @env = @proto_env.dup
       @parsed_bytes = 0
       @ready = false
@@ -213,20 +213,36 @@ module Puma
     def try_to_parse_proxy_protocol
       if @read_proxy
         if @expect_proxy_proto == :v1
-          if @buffer.include? "\r\n"
-            if md = PROXY_PROTOCOL_V1_REGEX.match(@buffer)
-              if md[1]
-                @peerip = md[1].split(" ")[0]
+          crlf_index = @buffer.index "\r\n"
+          unless crlf_index
+            if "PROXY ".start_with? @buffer
+              return false
+            elsif @buffer.start_with? "PROXY "
+              if @buffer.bytesize >= PROXY_PROTOCOL_V1_MAX_LENGTH
+                raise ConnectionError, "PROXY protocol v1 line is too long"
               end
-              @buffer = md.post_match
+              return false
             end
-            # if the buffer has a \r\n but doesn't have a PROXY protocol
-            # request, this is just HTTP from a non-PROXY client; move on
             @read_proxy = false
-            return @buffer.size > 0
-          else
-            return false
+            return true
+          end
+          if @buffer.start_with?("PROXY ") && crlf_index + 2 > PROXY_PROTOCOL_V1_MAX_LENGTH
+            raise ConnectionError, "PROXY protocol v1 line is too long"
+          end
+          if md = PROXY_PROTOCOL_V1_REGEX.match(@buffer)
+            if md[1]
+              @peerip = md[1].split(" ")[0]
+            end
+            @buffer = md.post_match
           end
+          # if the buffer has a \r\n but doesn't have a PROXY protocol
+          # request, this is just HTTP from a non-PROXY client; move on
+          @read_proxy = false
+          return @buffer.size > 0
         end
       end
       true

data/lib/puma/const.rb CHANGED Viewed

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
-    PUMA_VERSION = VERSION = "8.0.1"
+    PUMA_VERSION = VERSION = "8.0.2"
     CODE_NAME = "Into the Arena"
     PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
@@ -291,7 +291,8 @@ module Puma
     # Banned keys of response header
     BANNED_HEADER_KEY = /\A(rack\.|status\z)/.freeze
-    PROXY_PROTOCOL_V1_REGEX = /^PROXY (?:TCP4|TCP6|UNKNOWN) ([^\r]+)\r\n/.freeze
+    PROXY_PROTOCOL_V1_REGEX = /\APROXY (?:TCP4|TCP6|UNKNOWN) ([^\r]+)\r\n/.freeze
+    PROXY_PROTOCOL_V1_MAX_LENGTH = 107
     # All constants are prefixed with `PIPE_` to avoid name collisions.
     module PipeRequest

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 8.0.1
+  version: 8.0.2
 platform: java
 authors:
 - Evan Phoenix