puma 7.2.0 → 7.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/History.md +7 -0
- data/lib/puma/client.rb +27 -11
- data/lib/puma/const.rb +3 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: eef4284ed113815501c9e01586a0a0fcd8d2f20e23376598e176effb4b6146a0
|
|
4
|
+
data.tar.gz: 83699a936ba02fbc03c2b2b10306d949f0525713d4a0cc3bbee44ecca6d71664
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a3ae91d6a0b359f450801765ed5cecb8f84204b115609ef41594812597f82211ba28c556ca5139a7bfc2ec9e68b6187a0fec481c228a0aeb40ca0ec25c57d29d
|
|
7
|
+
data.tar.gz: 289b4a1da3eaa061df1a0f7f8d7b5fce12d74e211a23fae0e7b7eae24fab85692b6636ed687ef8f4b833f7ff5ad975f3c17575f1061e1a4dc30ba517125b1788
|
data/History.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## 7.2.1 / 2026-05-27
|
|
2
|
+
|
|
3
|
+
* Bugfixes
|
|
4
|
+
* Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs ([#3947])
|
|
5
|
+
* Parse PROXY protocol only once per connection to prevent injection on keep-alive requests ([#3947])
|
|
6
|
+
|
|
1
7
|
## 7.2.0 / 2026-01-20
|
|
2
8
|
|
|
3
9
|
* Features
|
|
@@ -2294,6 +2300,7 @@ be added back in a future date when a java Puma::MiniSSL is added.
|
|
|
2294
2300
|
* Bugfixes
|
|
2295
2301
|
* Your bugfix goes here <Most recent on the top, like GitHub> (#Github Number)
|
|
2296
2302
|
|
|
2303
|
+
[#3947]:https://github.com/puma/puma/pull/3947 "PR by Nate Berkopec, merged 2026-05-26"
|
|
2297
2304
|
[#3863]:https://github.com/puma/puma/pull/3863 "PR by Nate Berkopec, merged 2026-01-20"
|
|
2298
2305
|
[#3861]:https://github.com/puma/puma/pull/3861 "PR by MSP-Greg, merged 2026-01-20"
|
|
2299
2306
|
[#3860]:https://github.com/puma/puma/pull/3860 "PR by MSP-Greg, merged 2026-01-16"
|
data/lib/puma/client.rb
CHANGED
|
@@ -157,7 +157,7 @@ module Puma
|
|
|
157
157
|
@parser.reset
|
|
158
158
|
@io_buffer.reset
|
|
159
159
|
@read_header = true
|
|
160
|
-
@read_proxy = !!@expect_proxy_proto
|
|
160
|
+
@read_proxy = !!@expect_proxy_proto && @requests_served.zero?
|
|
161
161
|
@env = @proto_env.dup
|
|
162
162
|
@parsed_bytes = 0
|
|
163
163
|
@ready = false
|
|
@@ -211,20 +211,36 @@ module Puma
|
|
|
211
211
|
def try_to_parse_proxy_protocol
|
|
212
212
|
if @read_proxy
|
|
213
213
|
if @expect_proxy_proto == :v1
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
214
|
+
crlf_index = @buffer.index "\r\n"
|
|
215
|
+
|
|
216
|
+
unless crlf_index
|
|
217
|
+
if "PROXY ".start_with? @buffer
|
|
218
|
+
return false
|
|
219
|
+
elsif @buffer.start_with? "PROXY "
|
|
220
|
+
if @buffer.bytesize >= PROXY_PROTOCOL_V1_MAX_LENGTH
|
|
221
|
+
raise ConnectionError, "PROXY protocol v1 line is too long"
|
|
218
222
|
end
|
|
219
|
-
|
|
223
|
+
return false
|
|
220
224
|
end
|
|
221
|
-
|
|
222
|
-
# request, this is just HTTP from a non-PROXY client; move on
|
|
225
|
+
|
|
223
226
|
@read_proxy = false
|
|
224
|
-
return
|
|
225
|
-
|
|
226
|
-
|
|
227
|
+
return true
|
|
228
|
+
end
|
|
229
|
+
|
|
230
|
+
if @buffer.start_with?("PROXY ") && crlf_index + 2 > PROXY_PROTOCOL_V1_MAX_LENGTH
|
|
231
|
+
raise ConnectionError, "PROXY protocol v1 line is too long"
|
|
232
|
+
end
|
|
233
|
+
|
|
234
|
+
if md = PROXY_PROTOCOL_V1_REGEX.match(@buffer)
|
|
235
|
+
if md[1]
|
|
236
|
+
@peerip = md[1].split(" ")[0]
|
|
237
|
+
end
|
|
238
|
+
@buffer = md.post_match
|
|
227
239
|
end
|
|
240
|
+
# if the buffer has a \r\n but doesn't have a PROXY protocol
|
|
241
|
+
# request, this is just HTTP from a non-PROXY client; move on
|
|
242
|
+
@read_proxy = false
|
|
243
|
+
return @buffer.size > 0
|
|
228
244
|
end
|
|
229
245
|
end
|
|
230
246
|
true
|
data/lib/puma/const.rb
CHANGED
|
@@ -100,7 +100,7 @@ module Puma
|
|
|
100
100
|
# too taxing on performance.
|
|
101
101
|
module Const
|
|
102
102
|
|
|
103
|
-
PUMA_VERSION = VERSION = "7.2.
|
|
103
|
+
PUMA_VERSION = VERSION = "7.2.1"
|
|
104
104
|
CODE_NAME = "On The Corner"
|
|
105
105
|
|
|
106
106
|
PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
|
|
@@ -291,7 +291,8 @@ module Puma
|
|
|
291
291
|
# Banned keys of response header
|
|
292
292
|
BANNED_HEADER_KEY = /\A(rack\.|status\z)/.freeze
|
|
293
293
|
|
|
294
|
-
PROXY_PROTOCOL_V1_REGEX =
|
|
294
|
+
PROXY_PROTOCOL_V1_REGEX = /\APROXY (?:TCP4|TCP6|UNKNOWN) ([^\r]+)\r\n/.freeze
|
|
295
|
+
PROXY_PROTOCOL_V1_MAX_LENGTH = 107
|
|
295
296
|
|
|
296
297
|
# All constants are prefixed with `PIPE_` to avoid name collisions.
|
|
297
298
|
module PipeRequest
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puma
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 7.2.
|
|
4
|
+
version: 7.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Evan Phoenix
|
|
@@ -146,7 +146,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
146
146
|
- !ruby/object:Gem::Version
|
|
147
147
|
version: '0'
|
|
148
148
|
requirements: []
|
|
149
|
-
rubygems_version: 4.0.
|
|
149
|
+
rubygems_version: 4.0.6
|
|
150
150
|
specification_version: 4
|
|
151
151
|
summary: A Ruby/Rack web server built for parallelism.
|
|
152
152
|
test_files: []
|