puma 4.3.0-java → 4.3.1-java

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puma might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6e6d09366b4b771a3942466e98d52d3af9a879420e1debed767b53eaa4edaf36
4
- data.tar.gz: 6f1ae43b69087282ec3c11519c0d64613180d4655a7f2d4c93a13a0856e2b99a
3
+ metadata.gz: aa5c4775b6154a8fda14a3a8dc2004cac2be0f81d1114e23a558e9d625a3eb89
4
+ data.tar.gz: fc66d17895f167abb2eb59a299f50880d3b4c79f80f405d2427bb8d46ed853f9
5
5
  SHA512:
6
- metadata.gz: 761970dd43e44b0f58d87129eb9c94921bdc073942ab8f351de9afea5ee471daf1ff94fe101e4e04e71988738b55b56f2bc035eba9274eb763b4071c19e5514b
7
- data.tar.gz: ac47fae97e259a53e76c4153da10d2cccedee210c17bdabcffcbf585e78c8cf3eb5efcca55c87ec8218b5455a37f90421a97f8592192bbc6e4d611f90b01e082
6
+ metadata.gz: f1db3eeddfcf8abd56c5d34d58a6f4f7485c435bc79036305b0ce69a0b0a5263a7ea543119c335726c368f405bb3f3c58e40206dbe4aa027a95744b136245d74
7
+ data.tar.gz: d2e2229abb66f44c7811be9d7ef8c771943189b9af7a9719034bf0d50cebedea819d3428b0d1d53bb4b3d7d2d1d919562c9d6e3c885fca7c2f6d9aa2b6e67152
data/History.md CHANGED
@@ -6,6 +6,11 @@
6
6
  * Bugfixes
7
7
  * Your bugfix goes here (#Github Number)
8
8
 
9
+ ## 4.3.1 and 3.12.2 / 2019-12-05
10
+
11
+ * Security
12
+ * Fix: a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. CVE-2019-16770.
13
+
9
14
  ## 4.3.0 / 2019-11-07
10
15
 
11
16
  * Features
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "4.3.0".freeze
103
+ PUMA_VERSION = VERSION = "4.3.1".freeze
104
104
  CODE_NAME = "Mysterious Traveller".freeze
105
105
  PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
106
106
 
@@ -118,6 +118,13 @@ module Puma
118
118
  # sending data back
119
119
  WRITE_TIMEOUT = 10
120
120
 
121
+ # How many requests to attempt inline before sending a client back to
122
+ # the reactor to be subject to normal ordering. The idea here is that
123
+ # we amortize the cost of going back to the reactor for a well behaved
124
+ # but very "greedy" client across 10 requests. This prevents a not
125
+ # well behaved client from monopolizing the thread forever.
126
+ MAX_FAST_INLINE = 10
127
+
121
128
  # The original URI requested by the client.
122
129
  REQUEST_URI= 'REQUEST_URI'.freeze
123
130
  REQUEST_PATH = 'REQUEST_PATH'.freeze
@@ -466,6 +466,8 @@ module Puma
466
466
  clean_thread_locals = @options[:clean_thread_locals]
467
467
  close_socket = true
468
468
 
469
+ requests = 0
470
+
469
471
  while true
470
472
  case handle_request(client, buffer)
471
473
  when false
@@ -479,7 +481,19 @@ module Puma
479
481
 
480
482
  ThreadPool.clean_thread_locals if clean_thread_locals
481
483
 
482
- unless client.reset(@status == :run)
484
+ requests += 1
485
+
486
+ check_for_more_data = @status == :run
487
+
488
+ if requests >= MAX_FAST_INLINE
489
+ # This will mean that reset will only try to use the data it already
490
+ # has buffered and won't try to read more data. What this means is that
491
+ # every client, independent of their request speed, gets treated like a slow
492
+ # one once every MAX_FAST_INLINE requests.
493
+ check_for_more_data = false
494
+ end
495
+
496
+ unless client.reset(check_for_more_data)
483
497
  close_socket = false
484
498
  client.set_timeout @persistent_timeout
485
499
  @reactor.add client
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.3.0
4
+ version: 4.3.1
5
5
  platform: java
6
6
  authors:
7
7
  - Evan Phoenix
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-11-07 00:00:00.000000000 Z
11
+ date: 2019-12-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement