puma 3.12.2-java → 3.12.4-java

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puma might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 835d444c7e619728a20f960ff33b6d09c0ee07b5d63428ba34ce22e7408ecbfb
4
- data.tar.gz: 7474d589404b47d916e134be4ed568652f029be024dfbb82c7ab404a7cb50daa
3
+ metadata.gz: bc1c0e8423cd9fa884caee68e9a30ce9842452918faddb8d42a5911da368901c
4
+ data.tar.gz: 248b30d1d6bde1c17d5643ba8facca3aed0fe45513648a811db4334b5718d5af
5
5
  SHA512:
6
- metadata.gz: 4cae9db11916b0e7838fd3949f7a71a7531ad9fb2c32f8312686a614d8f5b04a24d60b790ddca3af9c47dccad5212ba64f180d04a45d5ad47dfdb7f3c39054c5
7
- data.tar.gz: 79a5ff3eb5c648690829404bc15535ae4f8082f3bdb5bc1740bbc36fdaa836fe4e32bdf7f3597b11a48a8f9ca0e98ffbb6370109747c378d2df707d90caaeadc
6
+ metadata.gz: ef8d286c5898f7284c09d384db6a0fa1f7c77729ae49a8ff3015983f09a13e5c9fe4b7d2497deb7aa4673af5de0304b7909178722a51d1f5e62701cf635b238c
7
+ data.tar.gz: 1de175b0905a0019b2108c95cc37f49318b7343144e4aac5f0a818ff1691097cc1413765a39f64faa0987cf43c338ae1b67f34b9db6d1d2f3f2b18269e1588f9
data/History.md CHANGED
@@ -4,6 +4,18 @@
4
4
 
5
5
  * x bugfixes
6
6
 
7
+
8
+ ## 4.3.3 and 3.12.4 / 2020-02-28
9
+ * Bugfixes
10
+ * Fix: Fixes a problem where we weren't splitting headers correctly on newlines (#2132)
11
+ * Security
12
+ * Fix: Prevent HTTP Response splitting via CR in early hints.
13
+
14
+ ## 4.3.2 and 3.12.3 / 2020-02-27
15
+
16
+ * Security
17
+ * Fix: Prevent HTTP Response splitting via CR/LF in header values. CVE-2020-5247.
18
+
7
19
  ## 4.3.1 and 3.12.2 / 2019-12-05
8
20
 
9
21
  * Security
data/lib/puma/const.rb CHANGED
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "3.12.2".freeze
103
+ PUMA_VERSION = VERSION = "3.12.4".freeze
104
104
  CODE_NAME = "Llamas in Pajamas".freeze
105
105
  PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
106
106
 
@@ -228,6 +228,7 @@ module Puma
228
228
  COLON = ": ".freeze
229
229
 
230
230
  NEWLINE = "\n".freeze
231
+ HTTP_INJECTION_REGEX = /[\r\n]/.freeze
231
232
 
232
233
  HIJACK_P = "rack.hijack?".freeze
233
234
  HIJACK = "rack.hijack".freeze
Binary file
data/lib/puma/server.rb CHANGED
@@ -653,6 +653,7 @@ module Puma
653
653
  headers.each_pair do |k, vs|
654
654
  if vs.respond_to?(:to_s) && !vs.to_s.empty?
655
655
  vs.to_s.split(NEWLINE).each do |v|
656
+ next if possible_header_injection?(v)
656
657
  fast_write client, "#{k}: #{v}\r\n"
657
658
  end
658
659
  else
@@ -751,6 +752,7 @@ module Puma
751
752
  headers.each do |k, vs|
752
753
  case k.downcase
753
754
  when CONTENT_LENGTH2
755
+ next if possible_header_injection?(vs)
754
756
  content_length = vs
755
757
  next
756
758
  when TRANSFER_ENCODING
@@ -763,6 +765,7 @@ module Puma
763
765
 
764
766
  if vs.respond_to?(:to_s) && !vs.to_s.empty?
765
767
  vs.to_s.split(NEWLINE).each do |v|
768
+ next if possible_header_injection?(v)
766
769
  lines.append k, colon, v, line_ending
767
770
  end
768
771
  else
@@ -1029,5 +1032,10 @@ module Puma
1029
1032
  def shutting_down?
1030
1033
  @status == :stop || @status == :restart
1031
1034
  end
1035
+
1036
+ def possible_header_injection?(header_value)
1037
+ HTTP_INJECTION_REGEX =~ header_value.to_s
1038
+ end
1039
+ private :possible_header_injection?
1032
1040
  end
1033
1041
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.12.2
4
+ version: 3.12.4
5
5
  platform: java
6
6
  authors:
7
7
  - Evan Phoenix
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-12-05 00:00:00.000000000 Z
11
+ date: 2020-02-28 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server
14
14
  for Ruby/Rack applications. Puma is intended for use in both development and production