puma 6.4.1 → 6.4.2
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puma might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/History.md +10 -0
- data/lib/puma/client.rb +27 -0
- data/lib/puma/const.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d4eec1c88853ffbaadba238d829879c8a47f6a553ed6ce97fcfdc20f70e9cb16
|
|
4
|
+
data.tar.gz: 4ecd30023954ae7bc18d89e28875371687b54c41a3bd3e62b396039614089e38
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 98451682f4e6bc79dc1336f7ee4d7b702b13b0c9cd0f99e4a3aeca37c96ea096401c43cda5402ec9a4af25fc4f5d7d15da8d6157ad957f3128586e022cabc263
|
|
7
|
+
data.tar.gz: c5e6aaf5d405e57a6b47df3be3c52c5b006c1160b5c90d2a549d25e731ea44b6ad1828ceffb1e4791ceea66eef0f07718dbee76b17a1db272a4ed79a6ff3ff53
|
data/History.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
## 6.4.2 / 2024-01-08
|
|
2
|
+
|
|
3
|
+
* Security
|
|
4
|
+
* Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
|
|
5
|
+
|
|
1
6
|
## 6.4.1 / 2024-01-03
|
|
2
7
|
|
|
3
8
|
* Bugfixes
|
|
@@ -168,6 +173,11 @@
|
|
|
168
173
|
* Ruby 3.2 will have native IO#wait_* methods, don't require io/wait ([#2903])
|
|
169
174
|
* Various internal API refactorings ([#2942], [#2921], [#2922], [#2955])
|
|
170
175
|
|
|
176
|
+
## 5.6.8 / 2024-01-08
|
|
177
|
+
|
|
178
|
+
* Security
|
|
179
|
+
* Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ([GHSA-c2f4-cvqm-65w2](https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2))
|
|
180
|
+
|
|
171
181
|
## 5.6.7 / 2023-08-18
|
|
172
182
|
|
|
173
183
|
* Security
|
data/lib/puma/client.rb
CHANGED
|
@@ -51,6 +51,14 @@ module Puma
|
|
|
51
51
|
CHUNK_VALID_ENDING = Const::LINE_END
|
|
52
52
|
CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize
|
|
53
53
|
|
|
54
|
+
# The maximum number of bytes we'll buffer looking for a valid
|
|
55
|
+
# chunk header.
|
|
56
|
+
MAX_CHUNK_HEADER_SIZE = 4096
|
|
57
|
+
|
|
58
|
+
# The maximum amount of excess data the client sends
|
|
59
|
+
# using chunk size extensions before we abort the connection.
|
|
60
|
+
MAX_CHUNK_EXCESS = 16 * 1024
|
|
61
|
+
|
|
54
62
|
# Content-Length header value validation
|
|
55
63
|
CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze
|
|
56
64
|
|
|
@@ -496,6 +504,7 @@ module Puma
|
|
|
496
504
|
@chunked_body = true
|
|
497
505
|
@partial_part_left = 0
|
|
498
506
|
@prev_chunk = ""
|
|
507
|
+
@excess_cr = 0
|
|
499
508
|
|
|
500
509
|
@body = Tempfile.new(Const::PUMA_TMP_BASE)
|
|
501
510
|
@body.unlink
|
|
@@ -577,6 +586,20 @@ module Puma
|
|
|
577
586
|
end
|
|
578
587
|
end
|
|
579
588
|
|
|
589
|
+
# Track the excess as a function of the size of the
|
|
590
|
+
# header vs the size of the actual data. Excess can
|
|
591
|
+
# go negative (and is expected to) when the body is
|
|
592
|
+
# significant.
|
|
593
|
+
# The additional of chunk_hex.size and 2 compensates
|
|
594
|
+
# for a client sending 1 byte in a chunked body over
|
|
595
|
+
# a long period of time, making sure that that client
|
|
596
|
+
# isn't accidentally eventually punished.
|
|
597
|
+
@excess_cr += (line.size - len - chunk_hex.size - 2)
|
|
598
|
+
|
|
599
|
+
if @excess_cr >= MAX_CHUNK_EXCESS
|
|
600
|
+
raise HttpParserError, "Maximum chunk excess detected"
|
|
601
|
+
end
|
|
602
|
+
|
|
580
603
|
len += 2
|
|
581
604
|
|
|
582
605
|
part = io.read(len)
|
|
@@ -604,6 +627,10 @@ module Puma
|
|
|
604
627
|
@partial_part_left = len - part.size
|
|
605
628
|
end
|
|
606
629
|
else
|
|
630
|
+
if @prev_chunk.size + chunk.size >= MAX_CHUNK_HEADER_SIZE
|
|
631
|
+
raise HttpParserError, "maximum size of chunk header exceeded"
|
|
632
|
+
end
|
|
633
|
+
|
|
607
634
|
@prev_chunk = line
|
|
608
635
|
return false
|
|
609
636
|
end
|
data/lib/puma/const.rb
CHANGED
|
@@ -100,7 +100,7 @@ module Puma
|
|
|
100
100
|
# too taxing on performance.
|
|
101
101
|
module Const
|
|
102
102
|
|
|
103
|
-
PUMA_VERSION = VERSION = "6.4.
|
|
103
|
+
PUMA_VERSION = VERSION = "6.4.2"
|
|
104
104
|
CODE_NAME = "The Eagle of Durango"
|
|
105
105
|
|
|
106
106
|
PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puma
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.4.
|
|
4
|
+
version: 6.4.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Evan Phoenix
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-01-
|
|
11
|
+
date: 2024-01-08 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: nio4r
|