puma 5.6.7-java → 5.6.8-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c7739d532cbd298f6d3fe97c1c5e99af45d29b792649705851542ac54aafbd2c
-  data.tar.gz: a066b4636189819ea7109124c470eb2cba5f35083ab7c01b4389552a4acb9220
+  metadata.gz: 6ed72bc95b403e5e588dfd3809f8c48c1fb4577d628e6e5fed467f3a3c3d72bc
+  data.tar.gz: 7d11eab19b070a31cf61e2582bd9d669be46dc571a16a64751a74401a4f6c36c
 SHA512:
-  metadata.gz: 010d1a62e046ccaef614623e59511b235f77eb4d292ef00b415d25335ced57344c758409dff13a88e730df8d644507421567102a9b1fbd7856dc96ed6546ba4e
-  data.tar.gz: 304182f6bf28e4262e622bd9d00e504db9c2682e484c525a36efea6e141891adabdec427c6a8cf619fae6860266865b01fa39056b52a838bb19b285f9320361b
+  metadata.gz: 6f030945f1d3164c941e45ef216a0374d66e3059d8afa633aa56ae049514b5bbd9970dc9afa3b1e31d6fdca6b0647b0a487abbde204ac0e30f6eeb0d3a2b04ec
+  data.tar.gz: eb1a6d5e1b97bbcfd85fb1a866d66c35476fc50ada1676066b26830d9a2b11226707d2d7a0dd9b294d41438cdcdd008aa038d4dbd49ae33218f21f41098253a5

data/History.md

@@ -1,6 +1,11 @@
+## 5.6.8 / 2023-01-08
+
+* Security
+  * Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
+
 ## 5.6.7 / 2023-08-18
 
-* Security 
+* Security
   * Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields ([GHSA-68xg-gqqm-vgj8](https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8))
 
 ## 5.6.6 / 2023-06-21

data/lib/puma/client.rb

@@ -48,6 +48,14 @@ module Puma
     CHUNK_VALID_ENDING = Const::LINE_END
     CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
 
+    # The maximum number of bytes we'll buffer looking for a valid
+    # chunk header.
+    MAX_CHUNK_HEADER_SIZE = 4096
+
+    # The maximum amount of excess data the client sends
+    # using chunk size extensions before we abort the connection.
+    MAX_CHUNK_EXCESS = 16 * 1024
+
     # Content-Length header value validation
     CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
 
@@ -460,6 +468,7 @@ module Puma
       @chunked_body = true
       @partial_part_left = 0
       @prev_chunk = ""
+      @excess_cr = 0
 
       @body = Tempfile.new(Const::PUMA_TMP_BASE)
       @body.unlink
@@ -541,6 +550,20 @@ module Puma
             end
           end
 
+          # Track the excess as a function of the size of the
+          # header vs the size of the actual data. Excess can
+          # go negative (and is expected to) when the body is
+          # significant.
+          # The additional of chunk_hex.size and 2 compensates
+          # for a client sending 1 byte in a chunked body over
+          # a long period of time, making sure that that client
+          # isn't accidentally eventually punished.
+          @excess_cr += (line.size - len - chunk_hex.size - 2)
+
+          if @excess_cr >= MAX_CHUNK_EXCESS
+            raise HttpParserError, "Maximum chunk excess detected"
+          end
+
           len += 2
 
           part = io.read(len)
@@ -568,6 +591,10 @@ module Puma
             @partial_part_left = len - part.size
           end
         else
+          if @prev_chunk.size + chunk.size >= MAX_CHUNK_HEADER_SIZE
+            raise HttpParserError, "maximum size of chunk header exceeded"
+          end
+
           @prev_chunk = line
           return false
         end

data/lib/puma/const.rb

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
 
-    PUMA_VERSION = VERSION = "5.6.7".freeze
+    PUMA_VERSION = VERSION = "5.6.8".freeze
     CODE_NAME = "Birdie's Version".freeze
 
     PUMA_SERVER_STRING = ['puma', PUMA_VERSION, CODE_NAME].join(' ').freeze

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 5.6.7
+  version: 5.6.8
 platform: java
 authors:
 - Evan Phoenix
 autorequire:
 bindir: bin
 cert_chain: []
-date: 1980-01-01 00:00:00.000000000 Z
+date: 2024-01-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement