RubyGems - puma - Versions diffs - 8.0.1 → 8.0.2 - Mend

puma 8.0.1 → 8.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b4bda2b8a9ed5838776f890077459a3db57a8a581b17516434ba9b9cbd5d0f71
-  data.tar.gz: 621365fbc4837c30dc8c7d32de00ceadbcf80db735ae2388aeb0b521414a1b3c
+  metadata.gz: 6c96b9615e3021ca787fdb02a91af1bcfc2c2201465efd375e94c0100d089ece
+  data.tar.gz: 620a8240509ff2acbac19e20b4d8f55aa7cef0b6fb8bef0836f31c848b9def67
 SHA512:
-  metadata.gz: 321cc06d7e4f77147aeeb44b29b7de9627b5942ef374b93f64a5aa89c85414c761c79833ba61e6accb0fee53ee68cc91f07121d7a74ab106a1091885e806b123
-  data.tar.gz: eb9e6c89473875970b71d2fec792e68c1355ab0dff2dc6d887cd7221449c5c9e20f7030ec3bc3ed8edb18ff50c906697067325a86d040bdc9bfedb5d74566454
+  metadata.gz: 88e2c0146d21143793a559dbb515ce22866266a5750acd0e55c9d84bbc41c536341e3602b34d4e192dad265102bc6bd93b0e300d1ee60806482aa9ba67e59e29
+  data.tar.gz: 6f5d132d87d2b78a3b240eec1029f7eab30ce22f5de1dfcbc1ba0bc2d253655b58594bd1104def34cb169a56aef4642666267dcadb347f2381e63179dddf1946

data/History.md CHANGED Viewed

@@ -1,3 +1,9 @@
+## 8.0.2 / 2026-05-27
+* Bugfixes
+  * Anchor PROXY protocol v1 regex to string start and enforce max line length to prevent injection via crafted request bodies ([#3944])
+  * Parse PROXY protocol header only on the first request per connection to prevent spoofing on keep-alive connections ([#3944])
 ## 8.0.1 / 2026-04-27
 * Bugfixes
@@ -2335,6 +2341,7 @@ be added back in a future date when a java Puma::MiniSSL is added.
 * Bugfixes
   * Your bugfix goes here <Most recent on the top, like GitHub> (#Github Number)
+[#3944]:https://github.com/puma/puma/pull/3944     "PR by Nate Berkopec, merged 2026-05-26"
 [#3929]:https://github.com/puma/puma/pull/3929     "PR by Joshua Young, merged 2026-04-26"
 [#3928]:https://github.com/puma/puma/pull/3928     "PR by Nate Berkopec, merged 2026-04-16"
 [#3923]:https://github.com/puma/puma/pull/3923     "PR by Joshua Young, merged 2026-04-10"

data/lib/puma/client.rb CHANGED Viewed

@@ -163,7 +163,7 @@ module Puma
       @parser.reset
       @io_buffer.reset
       @read_header = true
-      @read_proxy = !!@expect_proxy_proto
+      @read_proxy = !!@expect_proxy_proto && @requests_served.zero?
       @env = @proto_env.dup
       @parsed_bytes = 0
       @ready = false
@@ -213,20 +213,36 @@ module Puma
     def try_to_parse_proxy_protocol
       if @read_proxy
         if @expect_proxy_proto == :v1
-          if @buffer.include? "\r\n"
-            if md = PROXY_PROTOCOL_V1_REGEX.match(@buffer)
-              if md[1]
-                @peerip = md[1].split(" ")[0]
+          crlf_index = @buffer.index "\r\n"
+          unless crlf_index
+            if "PROXY ".start_with? @buffer
+              return false
+            elsif @buffer.start_with? "PROXY "
+              if @buffer.bytesize >= PROXY_PROTOCOL_V1_MAX_LENGTH
+                raise ConnectionError, "PROXY protocol v1 line is too long"
               end
-              @buffer = md.post_match
+              return false
             end
-            # if the buffer has a \r\n but doesn't have a PROXY protocol
-            # request, this is just HTTP from a non-PROXY client; move on
             @read_proxy = false
-            return @buffer.size > 0
-          else
-            return false
+            return true
+          end
+          if @buffer.start_with?("PROXY ") && crlf_index + 2 > PROXY_PROTOCOL_V1_MAX_LENGTH
+            raise ConnectionError, "PROXY protocol v1 line is too long"
+          end
+          if md = PROXY_PROTOCOL_V1_REGEX.match(@buffer)
+            if md[1]
+              @peerip = md[1].split(" ")[0]
+            end
+            @buffer = md.post_match
           end
+          # if the buffer has a \r\n but doesn't have a PROXY protocol
+          # request, this is just HTTP from a non-PROXY client; move on
+          @read_proxy = false
+          return @buffer.size > 0
         end
       end
       true

data/lib/puma/const.rb CHANGED Viewed

@@ -100,7 +100,7 @@ module Puma
   # too taxing on performance.
   module Const
-    PUMA_VERSION = VERSION = "8.0.1"
+    PUMA_VERSION = VERSION = "8.0.2"
     CODE_NAME = "Into the Arena"
     PUMA_SERVER_STRING = ["puma", PUMA_VERSION, CODE_NAME].join(" ").freeze
@@ -291,7 +291,8 @@ module Puma
     # Banned keys of response header
     BANNED_HEADER_KEY = /\A(rack\.|status\z)/.freeze
-    PROXY_PROTOCOL_V1_REGEX = /^PROXY (?:TCP4|TCP6|UNKNOWN) ([^\r]+)\r\n/.freeze
+    PROXY_PROTOCOL_V1_REGEX = /\APROXY (?:TCP4|TCP6|UNKNOWN) ([^\r]+)\r\n/.freeze
+    PROXY_PROTOCOL_V1_MAX_LENGTH = 107
     # All constants are prefixed with `PIPE_` to avoid name collisions.
     module PipeRequest

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: puma
 version: !ruby/object:Gem::Version
-  version: 8.0.1
+  version: 8.0.2
 platform: ruby
 authors:
 - Evan Phoenix