puma 6.4.2-java → 6.4.3-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/History.md +10 -0
- data/ext/puma_http11/org/jruby/puma/Http11.java +2 -0
- data/lib/puma/const.rb +9 -1
- data/lib/puma/puma_http11.jar +0 -0
- data/lib/puma/request.rb +16 -3
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2c64abd1fab8a1c0fba14f0294713f8e903c8fecd721c7f057dfdbe0805747fc
|
|
4
|
+
data.tar.gz: a402d2a1cae3e79f46cfb6d896962edbf267afedc0d3875a1da461a6512d8d57
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bbf05e7a426685b8122a443bf2c658f1c9f98ff66125953a34174ccfff3a3340f63eeac5adb93c25c563e67d830741fe35c8a9555acdda4d51e59159a1954cc5
|
|
7
|
+
data.tar.gz: 668bd2b0817bd8da6a2bfcf9ad8eb5c7383b3911a112e75c6547d4e7daa21e5d0c8bbf44a010dae88a939d492e109a5197746380e4c21805bcb50228b790af80
|
data/History.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
## 6.4.3 / 2024-09-19
|
|
2
|
+
|
|
3
|
+
* Security
|
|
4
|
+
* Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). ([CVE-2024-45614](https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4)/GHSA-9hf4-67fc-4vf4)
|
|
5
|
+
|
|
1
6
|
## 6.4.2 / 2024-01-08
|
|
2
7
|
|
|
3
8
|
* Security
|
|
@@ -173,6 +178,11 @@
|
|
|
173
178
|
* Ruby 3.2 will have native IO#wait_* methods, don't require io/wait ([#2903])
|
|
174
179
|
* Various internal API refactorings ([#2942], [#2921], [#2922], [#2955])
|
|
175
180
|
|
|
181
|
+
## 5.6.9 / 2024-09-19
|
|
182
|
+
|
|
183
|
+
* Security
|
|
184
|
+
* Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). ([CVE-2024-45614](https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4)/GHSA-9hf4-67fc-4vf4)
|
|
185
|
+
|
|
176
186
|
## 5.6.8 / 2024-01-08
|
|
177
187
|
|
|
178
188
|
* Security
|
data/lib/puma/const.rb
CHANGED
|
@@ -100,7 +100,7 @@ module Puma
|
|
|
100
100
|
# too taxing on performance.
|
|
101
101
|
module Const
|
|
102
102
|
|
|
103
|
-
PUMA_VERSION = VERSION = "6.4.
|
|
103
|
+
PUMA_VERSION = VERSION = "6.4.3"
|
|
104
104
|
CODE_NAME = "The Eagle of Durango"
|
|
105
105
|
|
|
106
106
|
PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
|
|
@@ -281,6 +281,14 @@ module Puma
|
|
|
281
281
|
# header values can contain HTAB?
|
|
282
282
|
ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
|
|
283
283
|
|
|
284
|
+
# The keys of headers that should not be convert to underscore
|
|
285
|
+
# normalized versions. These headers are ignored at the request reading layer,
|
|
286
|
+
# but if we normalize them after reading, it's just confusing for the application.
|
|
287
|
+
UNMASKABLE_HEADERS = {
|
|
288
|
+
"HTTP_TRANSFER,ENCODING" => true,
|
|
289
|
+
"HTTP_CONTENT,LENGTH" => true,
|
|
290
|
+
}
|
|
291
|
+
|
|
284
292
|
# Banned keys of response header
|
|
285
293
|
BANNED_HEADER_KEY = /\A(rack\.|status\z)/.freeze
|
|
286
294
|
|
data/lib/puma/puma_http11.jar
CHANGED
|
Binary file
|
data/lib/puma/request.rb
CHANGED
|
@@ -495,6 +495,11 @@ module Puma
|
|
|
495
495
|
# compatibility, we'll convert them back. This code is written to
|
|
496
496
|
# avoid allocation in the common case (ie there are no headers
|
|
497
497
|
# with `,` in their names), that's why it has the extra conditionals.
|
|
498
|
+
#
|
|
499
|
+
# @note If a normalized version of a `,` header already exists, we ignore
|
|
500
|
+
# the `,` version. This prevents clobbering headers managed by proxies
|
|
501
|
+
# but not by clients (Like X-Forwarded-For).
|
|
502
|
+
#
|
|
498
503
|
# @param env [Hash] see Puma::Client#env, from request, modifies in place
|
|
499
504
|
# @version 5.0.3
|
|
500
505
|
#
|
|
@@ -503,23 +508,31 @@ module Puma
|
|
|
503
508
|
to_add = nil
|
|
504
509
|
|
|
505
510
|
env.each do |k,v|
|
|
506
|
-
if k.start_with?("HTTP_") && k.include?(",") && k
|
|
511
|
+
if k.start_with?("HTTP_") && k.include?(",") && !UNMASKABLE_HEADERS.key?(k)
|
|
507
512
|
if to_delete
|
|
508
513
|
to_delete << k
|
|
509
514
|
else
|
|
510
515
|
to_delete = [k]
|
|
511
516
|
end
|
|
512
517
|
|
|
518
|
+
new_k = k.tr(",", "_")
|
|
519
|
+
if env.key?(new_k)
|
|
520
|
+
next
|
|
521
|
+
end
|
|
522
|
+
|
|
513
523
|
unless to_add
|
|
514
524
|
to_add = {}
|
|
515
525
|
end
|
|
516
526
|
|
|
517
|
-
to_add[
|
|
527
|
+
to_add[new_k] = v
|
|
518
528
|
end
|
|
519
529
|
end
|
|
520
530
|
|
|
521
|
-
if to_delete
|
|
531
|
+
if to_delete # rubocop:disable Style/SafeNavigation
|
|
522
532
|
to_delete.each { |k| env.delete(k) }
|
|
533
|
+
end
|
|
534
|
+
|
|
535
|
+
if to_add
|
|
523
536
|
env.merge! to_add
|
|
524
537
|
end
|
|
525
538
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puma
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.4.
|
|
4
|
+
version: 6.4.3
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Evan Phoenix
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-09-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|