Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP2
rubygem-puma.35973
CVE-2024-21647.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2024-21647.patch of Package rubygem-puma.35973
From bbb880ffb6debbfdea535b4b3eb2204d49ae151d Mon Sep 17 00:00:00 2001 From: Nate Berkopec <nate.berkopec@gmail.com> Date: Mon, 8 Jan 2024 14:48:43 +0900 Subject: [PATCH] Merge pull request from GHSA-c2f4-cvqm-65w2 Co-authored-by: MSP-Greg <MSP-Greg@users.noreply.github.com> Co-authored-by: Patrik Ragnarsson <patrik@starkast.net> Co-authored-by: Evan Phoenix <evan@phx.io> diff --git a/lib/puma/client.rb b/lib/puma/client.rb index cd89e8fe..796c25b3 100644 --- a/lib/puma/client.rb +++ b/lib/puma/client.rb @@ -48,6 +48,14 @@ module Puma CHUNK_VALID_ENDING = Const::LINE_END CHUNK_VALID_ENDING_SIZE = CHUNK_VALID_ENDING.bytesize + # The maximum number of bytes we'll buffer looking for a valid + # chunk header. + MAX_CHUNK_HEADER_SIZE = 4096 + + # The maximum amount of excess data the client sends + # using chunk size extensions before we abort the connection. + MAX_CHUNK_EXCESS = 16 * 1024 + # Content-Length header value validation CONTENT_LENGTH_VALUE_INVALID = /[^\d]/.freeze @@ -441,6 +449,7 @@ module Puma @chunked_body = true @partial_part_left = 0 @prev_chunk = "" + @excess_cr = 0 @body = Tempfile.new(Const::PUMA_TMP_BASE) @body.binmode @@ -513,6 +522,20 @@ module Puma end end + # Track the excess as a function of the size of the + # header vs the size of the actual data. Excess can + # go negative (and is expected to) when the body is + # significant. + # The additional of chunk_hex.size and 2 compensates + # for a client sending 1 byte in a chunked body over + # a long period of time, making sure that that client + # isn't accidentally eventually punished. + @excess_cr += (line.size - len - chunk_hex.size - 2) + + if @excess_cr >= MAX_CHUNK_EXCESS + raise HttpParserError, "Maximum chunk excess detected" + end + len += 2 part = io.read(len) @@ -540,6 +563,10 @@ module Puma @partial_part_left = len - part.size end else + if @prev_chunk.size + chunk.size >= MAX_CHUNK_HEADER_SIZE + raise HttpParserError, "maximum size of chunk header exceeded" + end + @prev_chunk = line return false end
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor