puma 4.3.0 → 4.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f2ba02cb19976145aa1824079a79d468fad878ca58bdb902f60a58b184049714
-  data.tar.gz: fcfa744db7db86e4acfbfb3d14659ec4aefa86ec249f6105ea7c54d97e361e97
+  metadata.gz: 0c3e9fdfe5225baf88ff5ee9ec6f58201a220a482d72e5217309964a22b7ccc0
+  data.tar.gz: 541ad3a7311662ca31e3de234870b03d6aac3eb925c8ad04e7a857bac097edc8
 SHA512:
-  metadata.gz: 875da8dd65d1c85f3912988c0b8b371fcfe1ef2cc99dbb9d4108c2141c2a0427a3db2cca684e82f5b955c564785d3e49f3723aeb64264d76cc4395ec7da2815c
-  data.tar.gz: 7460c59d0ec3d2c1733fafd35a33c434385da60b70e325f6c85aeeb2ccdea25e07c2b16f7f08f7cc14cccdf44780d5d5f98b1581fb3565e3557dbfb844e4a332
+  metadata.gz: 8dc3a1d604212819aa8dc549b767cf00e3c237c95f0053ec61f6750666097980a1fbd2c350b1c47e59a1047d1a0bb35451914629f2829a66ded20a930939a60e
+  data.tar.gz: f906230de96dd55841faaf6968939b4a096acb9933e91b34c8aada201e1c5e259c567ce8dce744490093072f6cb9d9553b7d83752e07ec7502973c72990563d4

data/History.md

@@ -6,6 +6,11 @@
 * Bugfixes
   * Your bugfix goes here (#Github Number)
 
+## 4.3.1 and 3.12.2 / 2019-12-05
+
+* Security
+  * Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770.
+
 ## 4.3.0 / 2019-11-07
 
 * Features

data/lib/puma/const.rb

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "4.3.0".freeze
+    PUMA_VERSION = VERSION = "4.3.1".freeze
     CODE_NAME = "Mysterious Traveller".freeze
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
 
@@ -118,6 +118,13 @@ module Puma
     # sending data back
     WRITE_TIMEOUT = 10
 
+    # How many requests to attempt inline before sending a client back to
+    # the reactor to be subject to normal ordering. The idea here is that
+    # we amortize the cost of going back to the reactor for a well behaved
+    # but very "greedy" client across 10 requests. This prevents a not
+    # well behaved client from monopolizing the thread forever.
+    MAX_FAST_INLINE = 10
+
     # The original URI requested by the client.
     REQUEST_URI= 'REQUEST_URI'.freeze
     REQUEST_PATH = 'REQUEST_PATH'.freeze

data/lib/puma/server.rb

@@ -466,6 +466,8 @@ module Puma
         clean_thread_locals = @options[:clean_thread_locals]
         close_socket = true
 
+        requests = 0
+
         while true
           case handle_request(client, buffer)
           when false
@@ -479,7 +481,19 @@ module Puma
 
             ThreadPool.clean_thread_locals if clean_thread_locals
 
-            unless client.reset(@status == :run)
+            requests += 1
+
+            check_for_more_data = @status == :run
+
+            if requests >= MAX_FAST_INLINE
+              # This will mean that reset will only try to use the data it already
+              # has buffered and won't try to read more data. What this means is that
+              # every client, independent of their request speed, gets treated like a slow
+              # one once every MAX_FAST_INLINE requests.
+              check_for_more_data = false
+            end
+
+            unless client.reset(check_for_more_data)
               close_socket = false
               client.set_timeout @persistent_timeout
               @reactor.add client

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 4.3.0
+  version: 4.3.1
 platform: ruby
 authors:
 - Evan Phoenix
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-07 00:00:00.000000000 Z
+date: 2019-12-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nio4r