puma 4.3.11 → 4.3.12

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puma might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f01631d0dd0843d149b6af364b95378f66e93b20ca449e8a734c445cfc74a9b9
4
- data.tar.gz: 38ff0fb797898ba2981bfe201ce279400151e2c77d1741f028bcb168fe825bd8
3
+ metadata.gz: 55de061927f854a6aa5886c0ef6573a6a95306afadf4eb156fbf3e59d54f3574
4
+ data.tar.gz: 9b58b994708cae549af93d92568f5111eb831404f9f189662ea73ff5c914ece3
5
5
  SHA512:
6
- metadata.gz: 4f712a8da3d29f6890321a468d49bb9eb104063d6c49ea27ce58101538b1f99180bd4c7a8f96817cf20e1a42b00e8043d760126e9cc899fe335fbddeb6462f45
7
- data.tar.gz: 4bf8d5bc37ab8f45452967a3bb6c4f30e712c5a73ebaf86db82367dddd4766de651410c29295c292c4bc6b06dffd042c0bf4d3f6acf4c92e0abba6a106b8e43c
6
+ metadata.gz: a5208ba5fc102a2d5df875490bf99afdf95aa2614a82503806aedf13dcf58c61cd62551aece57762bc6c54f5ae71a3517efb4b17d4d9eace27f99270ec1b9f6e
7
+ data.tar.gz: 5555c0290a7db01cdddfb19555caaa9b4d20085ef28297d436f3f37c2e5732d53f754d2ced9f76ffbc061c20e401ae68fd4819e630e12f17d335e6464dc42615
data/History.md CHANGED
@@ -1,3 +1,8 @@
1
+ ## 4.3.12 / 2022-03-30
2
+
3
+ * Security
4
+ * Close several HTTP Request Smuggling exploits (CVE-2022-24790)
5
+
1
6
  ## 4.3.11 / 2022-02-11
2
7
 
3
8
  * Security
@@ -22,6 +22,14 @@ unless ENV["DISABLE_SSL"]
22
22
  # with versions after 1.1.1
23
23
  have_func "TLS_server_method" , "openssl/ssl.h"
24
24
  have_macro "SSL_CTX_set_min_proto_version", "openssl/ssl.h"
25
+
26
+ # Random.bytes available in Ruby 2.5 and later, Random::DEFAULT deprecated in 3.0
27
+ if Random.respond_to?(:bytes)
28
+ $defs.push("-DHAVE_RANDOM_BYTES")
29
+ puts "checking for Random.bytes... yes"
30
+ else
31
+ puts "checking for Random.bytes... no"
32
+ end
25
33
  end
26
34
  end
27
35
 
@@ -62,44 +62,65 @@ ms_conn* engine_alloc(VALUE klass, VALUE* obj) {
62
62
  return conn;
63
63
  }
64
64
 
65
- DH *get_dh1024() {
66
- /* `openssl dhparam 1024 -C`
65
+ DH *get_dh2048(void) {
66
+ /* `openssl dhparam -C 2048`
67
67
  * -----BEGIN DH PARAMETERS-----
68
- * MIGHAoGBALPwcEv0OstmQCZdfHw0N5r+07lmXMxkpQacy1blwj0LUqC+Divp6pBk
69
- * usTJ9W2/dOYr1X7zi6yXNLp4oLzc/31PUL3D9q8CpGS7vPz5gijKSw9BwCTT5z9+
70
- * KF9v46qw8XqT5HHV87sWFlGQcVFq+pEkA2kPikkKZ/X/CCcpCAV7AgEC
68
+ * MIIBCAKCAQEAjmh1uQHdTfxOyxEbKAV30fUfzqMDF/ChPzjfyzl2jcrqQMhrk76o
69
+ * 2NPNXqxHwsddMZ1RzvU8/jl+uhRuPWjXCFZbhET4N1vrviZM3VJhV8PPHuiVOACO
70
+ * y32jFd+Szx4bo2cXSK83hJ6jRd+0asP1awWjz9/06dFkrILCXMIfQLo0D8rqmppn
71
+ * EfDDAwuudCpM9kcDmBRAm9JsKbQ6gzZWjkc5+QWSaQofojIHbjvj3xzguaCJn+oQ
72
+ * vHWM+hsAnaOgEwCyeZ3xqs+/5lwSbkE/tqJW98cEZGygBUVo9jxZRZx6KOfjpdrb
73
+ * yenO9LJr/qtyrZB31WJbqxI0m0AKTAO8UwIBAg==
71
74
  * -----END DH PARAMETERS-----
72
75
  */
73
- static unsigned char dh1024_p[] = {
74
- 0xB3,0xF0,0x70,0x4B,0xF4,0x3A,0xCB,0x66,0x40,0x26,0x5D,0x7C,
75
- 0x7C,0x34,0x37,0x9A,0xFE,0xD3,0xB9,0x66,0x5C,0xCC,0x64,0xA5,
76
- 0x06,0x9C,0xCB,0x56,0xE5,0xC2,0x3D,0x0B,0x52,0xA0,0xBE,0x0E,
77
- 0x2B,0xE9,0xEA,0x90,0x64,0xBA,0xC4,0xC9,0xF5,0x6D,0xBF,0x74,
78
- 0xE6,0x2B,0xD5,0x7E,0xF3,0x8B,0xAC,0x97,0x34,0xBA,0x78,0xA0,
79
- 0xBC,0xDC,0xFF,0x7D,0x4F,0x50,0xBD,0xC3,0xF6,0xAF,0x02,0xA4,
80
- 0x64,0xBB,0xBC,0xFC,0xF9,0x82,0x28,0xCA,0x4B,0x0F,0x41,0xC0,
81
- 0x24,0xD3,0xE7,0x3F,0x7E,0x28,0x5F,0x6F,0xE3,0xAA,0xB0,0xF1,
82
- 0x7A,0x93,0xE4,0x71,0xD5,0xF3,0xBB,0x16,0x16,0x51,0x90,0x71,
83
- 0x51,0x6A,0xFA,0x91,0x24,0x03,0x69,0x0F,0x8A,0x49,0x0A,0x67,
84
- 0xF5,0xFF,0x08,0x27,0x29,0x08,0x05,0x7B
76
+ static unsigned char dh2048_p[] = {
77
+ 0x8E, 0x68, 0x75, 0xB9, 0x01, 0xDD, 0x4D, 0xFC, 0x4E, 0xCB,
78
+ 0x11, 0x1B, 0x28, 0x05, 0x77, 0xD1, 0xF5, 0x1F, 0xCE, 0xA3,
79
+ 0x03, 0x17, 0xF0, 0xA1, 0x3F, 0x38, 0xDF, 0xCB, 0x39, 0x76,
80
+ 0x8D, 0xCA, 0xEA, 0x40, 0xC8, 0x6B, 0x93, 0xBE, 0xA8, 0xD8,
81
+ 0xD3, 0xCD, 0x5E, 0xAC, 0x47, 0xC2, 0xC7, 0x5D, 0x31, 0x9D,
82
+ 0x51, 0xCE, 0xF5, 0x3C, 0xFE, 0x39, 0x7E, 0xBA, 0x14, 0x6E,
83
+ 0x3D, 0x68, 0xD7, 0x08, 0x56, 0x5B, 0x84, 0x44, 0xF8, 0x37,
84
+ 0x5B, 0xEB, 0xBE, 0x26, 0x4C, 0xDD, 0x52, 0x61, 0x57, 0xC3,
85
+ 0xCF, 0x1E, 0xE8, 0x95, 0x38, 0x00, 0x8E, 0xCB, 0x7D, 0xA3,
86
+ 0x15, 0xDF, 0x92, 0xCF, 0x1E, 0x1B, 0xA3, 0x67, 0x17, 0x48,
87
+ 0xAF, 0x37, 0x84, 0x9E, 0xA3, 0x45, 0xDF, 0xB4, 0x6A, 0xC3,
88
+ 0xF5, 0x6B, 0x05, 0xA3, 0xCF, 0xDF, 0xF4, 0xE9, 0xD1, 0x64,
89
+ 0xAC, 0x82, 0xC2, 0x5C, 0xC2, 0x1F, 0x40, 0xBA, 0x34, 0x0F,
90
+ 0xCA, 0xEA, 0x9A, 0x9A, 0x67, 0x11, 0xF0, 0xC3, 0x03, 0x0B,
91
+ 0xAE, 0x74, 0x2A, 0x4C, 0xF6, 0x47, 0x03, 0x98, 0x14, 0x40,
92
+ 0x9B, 0xD2, 0x6C, 0x29, 0xB4, 0x3A, 0x83, 0x36, 0x56, 0x8E,
93
+ 0x47, 0x39, 0xF9, 0x05, 0x92, 0x69, 0x0A, 0x1F, 0xA2, 0x32,
94
+ 0x07, 0x6E, 0x3B, 0xE3, 0xDF, 0x1C, 0xE0, 0xB9, 0xA0, 0x89,
95
+ 0x9F, 0xEA, 0x10, 0xBC, 0x75, 0x8C, 0xFA, 0x1B, 0x00, 0x9D,
96
+ 0xA3, 0xA0, 0x13, 0x00, 0xB2, 0x79, 0x9D, 0xF1, 0xAA, 0xCF,
97
+ 0xBF, 0xE6, 0x5C, 0x12, 0x6E, 0x41, 0x3F, 0xB6, 0xA2, 0x56,
98
+ 0xF7, 0xC7, 0x04, 0x64, 0x6C, 0xA0, 0x05, 0x45, 0x68, 0xF6,
99
+ 0x3C, 0x59, 0x45, 0x9C, 0x7A, 0x28, 0xE7, 0xE3, 0xA5, 0xDA,
100
+ 0xDB, 0xC9, 0xE9, 0xCE, 0xF4, 0xB2, 0x6B, 0xFE, 0xAB, 0x72,
101
+ 0xAD, 0x90, 0x77, 0xD5, 0x62, 0x5B, 0xAB, 0x12, 0x34, 0x9B,
102
+ 0x40, 0x0A, 0x4C, 0x03, 0xBC, 0x53
85
103
  };
86
- static unsigned char dh1024_g[] = { 0x02 };
104
+ static unsigned char dh2048_g[] = { 0x02 };
87
105
 
88
106
  DH *dh;
107
+ #if !(OPENSSL_VERSION_NUMBER < 0x10100005L || defined(LIBRESSL_VERSION_NUMBER))
108
+ BIGNUM *p, *g;
109
+ #endif
110
+
89
111
  dh = DH_new();
90
112
 
91
113
  #if OPENSSL_VERSION_NUMBER < 0x10100005L || defined(LIBRESSL_VERSION_NUMBER)
92
- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
93
- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
114
+ dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
115
+ dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
94
116
 
95
117
  if ((dh->p == NULL) || (dh->g == NULL)) {
96
118
  DH_free(dh);
97
119
  return NULL;
98
120
  }
99
121
  #else
100
- BIGNUM *p, *g;
101
- p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
102
- g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
122
+ p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
123
+ g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
103
124
 
104
125
  if (p == NULL || g == NULL || !DH_set0_pqg(dh, p, NULL, g)) {
105
126
  DH_free(dh);
@@ -139,7 +160,7 @@ static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
139
160
  }
140
161
 
141
162
  VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
142
- VALUE obj;
163
+ VALUE obj, session_id_bytes;
143
164
  SSL_CTX* ctx;
144
165
  SSL* ssl;
145
166
  int min, ssl_options;
@@ -198,7 +219,7 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
198
219
  else {
199
220
  min = TLS1_VERSION;
200
221
  }
201
-
222
+
202
223
  SSL_CTX_set_min_proto_version(ctx, min);
203
224
 
204
225
  SSL_CTX_set_options(ctx, ssl_options);
@@ -226,7 +247,21 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
226
247
  SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
227
248
  }
228
249
 
229
- DH *dh = get_dh1024();
250
+ // Random.bytes available in Ruby 2.5 and later, Random::DEFAULT deprecated in 3.0
251
+ session_id_bytes = rb_funcall(
252
+ #ifdef HAVE_RANDOM_BYTES
253
+ rb_cRandom,
254
+ #else
255
+ rb_const_get(rb_cRandom, rb_intern_const("DEFAULT")),
256
+ #endif
257
+ rb_intern_const("bytes"),
258
+ 1, ULL2NUM(SSL_MAX_SSL_SESSION_ID_LENGTH));
259
+
260
+ SSL_CTX_set_session_id_context(ctx,
261
+ (unsigned char *) RSTRING_PTR(session_id_bytes),
262
+ SSL_MAX_SSL_SESSION_ID_LENGTH);
263
+
264
+ DH *dh = get_dh2048();
230
265
  SSL_CTX_set_tmp_dh(ctx, dh);
231
266
 
232
267
  #if OPENSSL_VERSION_NUMBER < 0x10002000L
@@ -493,27 +528,27 @@ void Init_mini_ssl(VALUE puma) {
493
528
  #else
494
529
  rb_define_const(mod, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION)));
495
530
  #endif
496
-
497
- #if defined(OPENSSL_NO_SSL3) || defined(OPENSSL_NO_SSL3_METHOD)
498
- /* True if SSL3 is not available */
499
- rb_define_const(mod, "OPENSSL_NO_SSL3", Qtrue);
500
- #else
501
- rb_define_const(mod, "OPENSSL_NO_SSL3", Qfalse);
502
- #endif
503
-
504
- #if defined(OPENSSL_NO_TLS1) || defined(OPENSSL_NO_TLS1_METHOD)
505
- /* True if TLS1 is not available */
506
- rb_define_const(mod, "OPENSSL_NO_TLS1", Qtrue);
507
- #else
508
- rb_define_const(mod, "OPENSSL_NO_TLS1", Qfalse);
509
- #endif
510
-
511
- #if defined(OPENSSL_NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1_METHOD)
512
- /* True if TLS1_1 is not available */
513
- rb_define_const(mod, "OPENSSL_NO_TLS1_1", Qtrue);
514
- #else
515
- rb_define_const(mod, "OPENSSL_NO_TLS1_1", Qfalse);
516
- #endif
531
+
532
+ #if defined(OPENSSL_NO_SSL3) || defined(OPENSSL_NO_SSL3_METHOD)
533
+ /* True if SSL3 is not available */
534
+ rb_define_const(mod, "OPENSSL_NO_SSL3", Qtrue);
535
+ #else
536
+ rb_define_const(mod, "OPENSSL_NO_SSL3", Qfalse);
537
+ #endif
538
+
539
+ #if defined(OPENSSL_NO_TLS1) || defined(OPENSSL_NO_TLS1_METHOD)
540
+ /* True if TLS1 is not available */
541
+ rb_define_const(mod, "OPENSSL_NO_TLS1", Qtrue);
542
+ #else
543
+ rb_define_const(mod, "OPENSSL_NO_TLS1", Qfalse);
544
+ #endif
545
+
546
+ #if defined(OPENSSL_NO_TLS1_1) || defined(OPENSSL_NO_TLS1_1_METHOD)
547
+ /* True if TLS1_1 is not available */
548
+ rb_define_const(mod, "OPENSSL_NO_TLS1_1", Qtrue);
549
+ #else
550
+ rb_define_const(mod, "OPENSSL_NO_TLS1_1", Qfalse);
551
+ #endif
517
552
 
518
553
  rb_define_singleton_method(mod, "check", noop, 0);
519
554
 
data/lib/puma/client.rb CHANGED
@@ -23,6 +23,8 @@ module Puma
23
23
 
24
24
  class ConnectionError < RuntimeError; end
25
25
 
26
+ class HttpParserError501 < IOError; end
27
+
26
28
  # An instance of this class represents a unique request from a client.
27
29
  # For example, this could be a web request from a browser or from CURL.
28
30
  #
@@ -35,7 +37,21 @@ module Puma
35
37
  # Instances of this class are responsible for knowing if
36
38
  # the header and body are fully buffered via the `try_to_finish` method.
37
39
  # They can be used to "time out" a response via the `timeout_at` reader.
40
+ #
38
41
  class Client
42
+
43
+ # this tests all values but the last, which must be chunked
44
+ ALLOWED_TRANSFER_ENCODING = %w[compress deflate gzip].freeze
45
+
46
+ # chunked body validation
47
+ CHUNK_SIZE_INVALID = /[^\h]/.freeze
48
+ CHUNK_VALID_ENDING = "\r\n".freeze
49
+
50
+ # Content-Length header value validation
51
+ CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
52
+
53
+ TE_ERR_MSG = 'Invalid Transfer-Encoding'
54
+
39
55
  # The object used for a request with no body. All requests with
40
56
  # no body share this one object since it has no state.
41
57
  EmptyBody = NullIO.new
@@ -284,16 +300,27 @@ module Puma
284
300
  body = @parser.body
285
301
 
286
302
  te = @env[TRANSFER_ENCODING2]
287
-
288
303
  if te
289
- if te.include?(",")
290
- te.split(",").each do |part|
291
- if CHUNKED.casecmp(part.strip) == 0
292
- return setup_chunked_body(body)
293
- end
304
+ te_lwr = te.downcase
305
+ if te.include? ','
306
+ te_ary = te_lwr.split ','
307
+ te_count = te_ary.count CHUNKED
308
+ te_valid = te_ary[0..-2].all? { |e| ALLOWED_TRANSFER_ENCODING.include? e }
309
+ if te_ary.last == CHUNKED && te_count == 1 && te_valid
310
+ @env.delete TRANSFER_ENCODING2
311
+ return setup_chunked_body body
312
+ elsif te_count >= 1
313
+ raise HttpParserError , "#{TE_ERR_MSG}, multiple chunked: '#{te}'"
314
+ elsif !te_valid
315
+ raise HttpParserError501, "#{TE_ERR_MSG}, unknown value: '#{te}'"
294
316
  end
295
- elsif CHUNKED.casecmp(te) == 0
296
- return setup_chunked_body(body)
317
+ elsif te_lwr == CHUNKED
318
+ @env.delete TRANSFER_ENCODING2
319
+ return setup_chunked_body body
320
+ elsif ALLOWED_TRANSFER_ENCODING.include? te_lwr
321
+ raise HttpParserError , "#{TE_ERR_MSG}, single value must be chunked: '#{te}'"
322
+ else
323
+ raise HttpParserError501 , "#{TE_ERR_MSG}, unknown value: '#{te}'"
297
324
  end
298
325
  end
299
326
 
@@ -301,7 +328,12 @@ module Puma
301
328
 
302
329
  cl = @env[CONTENT_LENGTH]
303
330
 
304
- unless cl
331
+ if cl
332
+ # cannot contain characters that are not \d
333
+ if cl =~ CONTENT_LENGTH_VALUE_INVALID
334
+ raise HttpParserError, "Invalid Content-Length: #{cl.inspect}"
335
+ end
336
+ else
305
337
  @buffer = body.empty? ? nil : body
306
338
  @body = EmptyBody
307
339
  set_ready
@@ -450,7 +482,13 @@ module Puma
450
482
  while !io.eof?
451
483
  line = io.gets
452
484
  if line.end_with?("\r\n")
453
- len = line.strip.to_i(16)
485
+ # Puma doesn't process chunk extensions, but should parse if they're
486
+ # present, which is the reason for the semicolon regex
487
+ chunk_hex = line.strip[/\A[^;]+/]
488
+ if chunk_hex =~ CHUNK_SIZE_INVALID
489
+ raise HttpParserError, "Invalid chunk size: '#{chunk_hex}'"
490
+ end
491
+ len = chunk_hex.to_i(16)
454
492
  if len == 0
455
493
  @in_last_chunk = true
456
494
  @body.rewind
@@ -481,7 +519,12 @@ module Puma
481
519
 
482
520
  case
483
521
  when got == len
484
- write_chunk(part[0..-3]) # to skip the ending \r\n
522
+ # proper chunked segment must end with "\r\n"
523
+ if part.end_with? CHUNK_VALID_ENDING
524
+ write_chunk(part[0..-3]) # to skip the ending \r\n
525
+ else
526
+ raise HttpParserError, "Chunk size mismatch"
527
+ end
485
528
  when got <= len - 2
486
529
  write_chunk(part)
487
530
  @partial_part_left = len - part.size
data/lib/puma/const.rb CHANGED
@@ -76,7 +76,7 @@ module Puma
76
76
  508 => 'Loop Detected',
77
77
  510 => 'Not Extended',
78
78
  511 => 'Network Authentication Required'
79
- }
79
+ }.freeze
80
80
 
81
81
  # For some HTTP status codes the client only expects headers.
82
82
  #
@@ -85,7 +85,7 @@ module Puma
85
85
  204 => true,
86
86
  205 => true,
87
87
  304 => true
88
- }
88
+ }.freeze
89
89
 
90
90
  # Frequently used constants when constructing requests or responses. Many times
91
91
  # the constant just refers to a string with the same contents. Using these constants
@@ -100,7 +100,7 @@ module Puma
100
100
  # too taxing on performance.
101
101
  module Const
102
102
 
103
- PUMA_VERSION = VERSION = "4.3.11".freeze
103
+ PUMA_VERSION = VERSION = "4.3.12".freeze
104
104
  CODE_NAME = "Mysterious Traveller".freeze
105
105
  PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze
106
106
 
@@ -144,9 +144,11 @@ module Puma
144
144
  408 => "HTTP/1.1 408 Request Timeout\r\nConnection: close\r\nServer: Puma #{PUMA_VERSION}\r\n\r\n".freeze,
145
145
  # Indicate that there was an internal error, obviously.
146
146
  500 => "HTTP/1.1 500 Internal Server Error\r\n\r\n".freeze,
147
+ # Incorrect or invalid header value
148
+ 501 => "HTTP/1.1 501 Not Implemented\r\n\r\n".freeze,
147
149
  # A common header for indicating the server is too busy. Not used yet.
148
150
  503 => "HTTP/1.1 503 Service Unavailable\r\n\r\nBUSY".freeze
149
- }
151
+ }.freeze
150
152
 
151
153
  # The basic max request size we'll try to read.
152
154
  CHUNK_SIZE = 16 * 1024
data/lib/puma/server.rb CHANGED
@@ -320,6 +320,10 @@ module Puma
320
320
  client.write_error(400)
321
321
  client.close
322
322
 
323
+ @events.parse_error self, client.env, e
324
+ rescue HttpParserError501 => e
325
+ client.write_error(501)
326
+ client.close
323
327
  @events.parse_error self, client.env, e
324
328
  rescue ConnectionError, EOFError
325
329
  client.close
@@ -530,7 +534,12 @@ module Puma
530
534
  client.write_error(400)
531
535
 
532
536
  @events.parse_error self, client.env, e
537
+ rescue HttpParserError501 => e
538
+ lowlevel_error(e, client.env)
533
539
 
540
+ client.write_error(501)
541
+
542
+ @events.parse_error self, client.env, e
534
543
  # Server error
535
544
  rescue StandardError => e
536
545
  lowlevel_error(e, client.env)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puma
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.3.11
4
+ version: 4.3.12
5
5
  platform: ruby
6
6
  authors:
7
7
  - Evan Phoenix