File CVE-2020-5247.patch of Package rubygem-puma

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2020-5247.patch of Package rubygem-puma

From 07d4006ed61dcd949055aeafb9c9135628e8260b Mon Sep 17 00:00:00 2001
From: dmaiocchi <dmaiocchi@suse.com>
Date: Mon, 3 Aug 2020 11:52:41 +0200
Subject: [PATCH] HTTP Injection - fix bug + 1 more vector (#2136)

+ Fixes a problem in 4.3.2/3.12.3 where we were not splitting newlines in headers according to Rack spec
+ Fixes another vector for HTTP injection - early hints
---
 lib/puma/const.rb  | 1 +
 lib/puma/server.rb | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/lib/puma/const.rb b/lib/puma/const.rb
index a2c5be05..5791628a 100644
--- a/lib/puma/const.rb
+++ b/lib/puma/const.rb
@@ -226,6 +226,7 @@ module Puma
     COLON = ": ".freeze
 
     NEWLINE = "\n".freeze
+    HTTP_INJECTION_REGEX = /[\r\n]/.freeze
 
     HIJACK_P = "rack.hijack?".freeze
     HIJACK = "rack.hijack".freeze
diff --git a/lib/puma/server.rb b/lib/puma/server.rb
index 293342c1..49455c57 100644
--- a/lib/puma/server.rb
+++ b/lib/puma/server.rb
@@ -723,6 +723,7 @@ module Puma
         headers.each do |k, vs|
           case k.downcase
           when CONTENT_LENGTH2
+            next if possible_header_injection?(vs)
             content_length = vs
             next
           when TRANSFER_ENCODING
@@ -735,6 +736,7 @@ module Puma
 
           if vs.respond_to?(:to_s) && !vs.to_s.empty?
             vs.to_s.split(NEWLINE).each do |v|
+              next if possible_header_injection?(v)
               lines.append k, colon, v, line_ending
             end
           else
@@ -994,6 +996,11 @@ module Puma
 
     ThreadLocalKey = :puma_server
 
+    def possible_header_injection?(header_value)
+      HTTP_INJECTION_REGEX =~ header_value.to_s
+    end
+    private :possible_header_injection?
+
     def self.current
       Thread.current[ThreadLocalKey]
     end
-- 
2.26.2

Places

File CVE-2020-5247.patch of Package rubygem-puma

Places