File CVE-2019-16779.patch of Package rubygem-excon.13680

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-16779.patch of Package rubygem-excon.13680

From ccb57d7a422f020dc74f1de4e8fb505ab46d8a29 Mon Sep 17 00:00:00 2001
From: geemus <geemus@gmail.com>
Date: Thu, 12 Dec 2019 16:45:12 -0600
Subject: [PATCH] fix for leftover data with interrupted persistent connections

Thanks to @pje for disclosure, initial patch, and input
---
 lib/excon/connection.rb   |  8 ++++++++
 tests/connection_tests.rb | 23 +++++++++++++++++++++++
 tests/rackups/basic.rb    |  8 ++++++++
 3 files changed, 39 insertions(+)

diff --git a/lib/excon/connection.rb b/lib/excon/connection.rb
index 86368ef8..275bb775 100644
--- a/lib/excon/connection.rb
+++ b/lib/excon/connection.rb
@@ -262,6 +262,11 @@ def request(params={}, &block)
 
       datum[:connection] = self
 
+      # cleanup data left behind on persistent connection after interrupt
+      if datum[:persistent] && !@persistent_socket_reusable
+        reset
+      end
+
       datum[:stack] = datum[:middlewares].map do |middleware|
         lambda {|stack| middleware.new(stack)}
       end.reverse.inject(self) do |middlewares, middleware|
@@ -270,7 +275,9 @@ def request(params={}, &block)
       datum = datum[:stack].request_call(datum)
 
       unless datum[:pipeline]
+        @persistent_socket_reusable = false
         datum = response(datum)
+        @persistent_socket_reusable = true
 
         if datum[:persistent]
           if key = datum[:response][:headers].keys.detect {|k| k.casecmp('Connection') == 0 }
@@ -344,6 +351,7 @@ def reset
       if old_socket = sockets.delete(@socket_key)
         old_socket.close rescue nil
       end
+      @persistent_socket_reusable = true
     end
 
     # Generate HTTP request verb methods
diff --git a/tests/rackups/basic.rb b/tests/rackups/basic.rb
index 0bddd9ac..af199547 100644
--- a/tests/rackups/basic.rb
+++ b/tests/rackups/basic.rb
@@ -32,6 +32,14 @@ class Basic < Sinatra::Base
     echo
   end
 
+  get('/foo') do
+    'foo'
+  end
+
+  get('/bar') do
+    'bar'
+  end
+
   private
 
   def echo

Places

File CVE-2019-16779.patch of Package rubygem-excon.13680

Places